Skip to main content
Engineering LibreTexts

2.4: Design

  • Page ID
  • \( \newcommand{\vecs}[1]{\overset { \scriptstyle \rightharpoonup} {\mathbf{#1}} } \) \( \newcommand{\vecd}[1]{\overset{-\!-\!\rightharpoonup}{\vphantom{a}\smash {#1}}} \)\(\newcommand{\id}{\mathrm{id}}\) \( \newcommand{\Span}{\mathrm{span}}\) \( \newcommand{\kernel}{\mathrm{null}\,}\) \( \newcommand{\range}{\mathrm{range}\,}\) \( \newcommand{\RealPart}{\mathrm{Re}}\) \( \newcommand{\ImaginaryPart}{\mathrm{Im}}\) \( \newcommand{\Argument}{\mathrm{Arg}}\) \( \newcommand{\norm}[1]{\| #1 \|}\) \( \newcommand{\inner}[2]{\langle #1, #2 \rangle}\) \( \newcommand{\Span}{\mathrm{span}}\) \(\newcommand{\id}{\mathrm{id}}\) \( \newcommand{\Span}{\mathrm{span}}\) \( \newcommand{\kernel}{\mathrm{null}\,}\) \( \newcommand{\range}{\mathrm{range}\,}\) \( \newcommand{\RealPart}{\mathrm{Re}}\) \( \newcommand{\ImaginaryPart}{\mathrm{Im}}\) \( \newcommand{\Argument}{\mathrm{Arg}}\) \( \newcommand{\norm}[1]{\| #1 \|}\) \( \newcommand{\inner}[2]{\langle #1, #2 \rangle}\) \( \newcommand{\Span}{\mathrm{span}}\)\(\newcommand{\AA}{\unicode[.8,0]{x212B}}\)

    General Framework

    Microsoft Excel was used to create the Security Assessment Workbook1. Control-families are placed in separate worksheets along with summaries for Assessment Snapshot, Compliance, and Adversary Effects2.

    Data entry is accomplished through individual Control Family worksheets (example: Awareness and Training below). Questions are drawn verbatim and directly from their NIST publications. Although only two pieces of information are necessary to satisfy the question (i.e., requirement); Satisfaction of Requirement and Satisfying Statement, other information (Name, Validation Point/Tool, Security Control Type) ensures a complete and comprehensive answer.


    Formulas, calculated cells and cell references are used extensively to simplify data entry and avoid input or calculation error.

    In addition to control requirements all worksheets contain the following variables:

    • - Satisfaction of Requirement (Y/N/P/A/D) with corresponding value (0-1)
    • - Satisfying Statement
      (maps to SP.800-172A Examine assessment method)
    • - Name
      (maps to SP.800-172A Interview assessment method)
    • - Validation Point/Tool (text)
      (maps to SP.800-172A Test assessment method)
    • - Security Control-HIPAA Type (Administrative, Technical, Physical)
      {Healthcare sector only}

    Note: SP.800-172 (only) Enhanced Security Requirements contain the following column/row variables:

    • Assessment Methodology (Examine, Interview, Test)
    • Depth & Coverage (Basic, Focused, Comprehensive)

    See Appendix A for details.

    [1] The Workbook is included as part of this book and can be downloaded from the Downloads Page.

    [2] Snapshot, Compliance and Adversary Map worksheets display aggregate data pulled from control-family worksheets.

    This page titled 2.4: Design is shared under a CC BY-NC 4.0 license and was authored, remixed, and/or curated by Thomas P. Dover.