Operational Assurance: Initiation—the control set must be maintained in a trustworthy state and that state must be understood
and documented as performing operational assurance to the organization’s defined requirements. Upon initiation of operational
assurance process, it is necessary to validate the security of the installation and configuration of the control set and that all
security functions are enabled. It is a requisite of good practice to
1. Identify feasible security perimeter(s) and defense in depthThe Complete Guide to Cybersecurity Risks and ControlsReprinted for PKERA/YuLung.HuiKim001@umb.edu, umb.skillport CRC Press, Taylor & Francis Group, LLC (c) 2016, Copying ProhibitedPage 7 of 23
2. Document an overall concept of operations
3. Prepare an operational testing plan
4. Prepare a policy to ensure appropriate response to unexpected incidents
5. Prepare a secure site plan
6. Prepare a business continuity plan and a disaster recovery plan (BCP/DRP) with recovery time objectives (RTO), network
recovery objectives (NRO) and recovery point objectives (RPO) fully established for every item within the secure
perimeter
7. Ensure the system staff is adequately trained in secure operation.
8. Ensure the system staff is capable of utilizing all embedded security functionality
9. Identify a valid security accreditation process and obtain certification of security of the operational system