This chapter provides guidelines for building effective security assessment plans and a comprehensive set of procedures to assess the effectiveness of security controls employed in information systems. Today’s information systems are complex assemblages of technology (hardware, software, and firmware), processes, and people working together to provide organizations with the capability to process, store, and transmit information in a timely manner to support various missions and business functions. The degree to which organizations have come to depend on these information systems to conduct routine, ...