Our one-time (snapshot) independent and impartial security control assessment is designed for systems that have just been developed and require an independent assessment for an Authority to Operate (ATO). This too would be for systems seeking ATO renewals or any independent system assessment to meet any legal or policy requirements. Our assessments begin with working with our client to determine the scope of the information system assessment requested. The scope review is designed to limit the impact of any potential disruption to processes for systems that are already in production. The process typically follows this trend:

• In a kick-off meeting, VAGE assessment team will discuss the scope of the assessment with system stakeholders and then request system artifacts to include relevant system documentation, vulnerability scans (if already performed), architectural artifacts depicting system data flow and boundaries, all documentation relevant for the security control assessment.

• VAGE assessment team will develop a Security and Privacy Assessment Plan (SAP) that the client will review and validate.

• VAGE will conduct the assessment of all technical, physical, operational and management controls for the system.

• VAGE will provide a provisional Security and Privacy Assessment Report (SAR) for the client to review and challenge any findings.

• VAGE will provide the final SAR indicating all system gaps and provide recommendations for remediating the gaps.​

• Email us at info@vagesecurity.com 

​