The Security Assessment and Authorization (SA&A) process is a framework that ensures that information systems meet the security requirements and standards of the organization and the applicable laws and regulations. The SA&A process consists of four phases: initiation, assessment, authorization, and monitoring. During the initiation phase, one of the primary purposes for conducting a hardware and software inventory is to define the boundaries of the information system, i.e., the scope and extent of the system components, interfaces, and data flows. Defining the boundaries of the information system helps to identify the security risks, controls, and responsibilities associated with the system, as well as to determine the level of effort and resources required for the assessment and authorization phases12. References:
Security Assessment and Authorization - NIST, Section: 2.1 Initiation Phase
Security Assessment and Authorization - NIST, Section: 2.1.1 Identify Information System Boundaries
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit