How To Guidelines in Security Assessment

Security Assessment is a structured evaluation of an organization's security controls, policies, and infrastructure to ensure compliance with ITSG-33, ISO standards, PCI-DSS, and other regulatory frameworks. It helps businesses track compliance requirements, manage documentation, and stay audit-ready by organizing essential reports and security policies in one place. The platform also identifies and monitors security vulnerabilities, providing actionable insights to mitigate risks effectively. By streamlining the audit process, Iron Fort ensures that leadership and management have all necessary documentation readily available for third-party auditors. This simplifies compliance tracking, reduces cybersecurity risks, and helps organizations avoid penalties or reputational damage due to non-compliance.

Evidence refers to the supporting documentation, justification, or verification provided to demonstrate compliance with a specific security control. It serves as proof that the control is effectively implemented and adhered to within the organization's security framework.

There are two types of evidence artefacts that can be provided:

1. Attached Evident Artefact – This refers to a file that is directly uploaded to the system as proof of compliance. It can include documents, screenshots, reports, configuration files, audit logs, or any other relevant digital evidence. The "Choose File" button allows users to browse and attach the required document.

   

2. External Evident Artefact – This is a reference to evidence stored outside the system, such as a URL link to an external repository, cloud storage, or a third-party compliance system. Instead of uploading a file, users can enter the location or source of the evidence in the provided text box.

   
   

1. Attached Evidence:

   • refers to files that are directly uploaded into the system, such as documents, images, reports, or logs that serve as proof of compliance or validation. These files are stored within the platform, ensuring easy access and retrieval when needed.
   • Example: a user may upload a PDF security audit report or a configuration file as attached evidence.
   

2. External evidence:

   • refers to references or links to evidence stored outside the system, such as URLs, cloud storage links, or third-party compliance reports. Instead of uploading a file directly, users provide a link to an external source where the evidence is stored.
   • Example: Providing a Google Drive link to a security policy document or referencing an external compliance portal.
   
   

Attached Evidence is stored inside the system, while External Evidence is stored outside but referenced within the system.

For example: https://compliance-demo.ironfortdemos.com/en/login/?next=/en

Enter your email and password to log in.

• Tenant Key Information: Verifying your system access

• User Email: Your registered email for auditing purposes

• Last Login Details: To track your previous access

• Iron Fort Support Email: For any login issues or concerns

NOTE: If you recognize the details and are authorized, click "OK" to continue. However, if you are not an authorized user, click "Logout" immediately to exit.

For example: https://compliance-demo.ironfortdemos.com/en/login/?next=/en

Enter your email and password to log in.

• Tenant Key Information - Verifying your system access

• User Email - Your registered email for auditing purposes

• Last Login Details - To track your previous access

• Iron Fort Support Email - For any login issues or concerns

NOTE: If you recognize the details and are authorized, click "OK" to continue. However, if you are not an authorized user, click "Logout" immediately to exit.

Select whether the assessment is for an Application or an Environment.

• Application - specific software or system
• Environment - network, infrastructure, or cloud setup

• Statement of Sensitivity - Define the data sensitivity level.

• Catalogue - Select applicable security frameworks.

• Control Sets - Choose security controls for compliance.

• Security Assessor - Assign a responsible security professional.

• Approvers - List individuals who will approve the assessment.

• Threat Risk - Identify potential risks and vulnerabilities.

• Classification Type - Specify classification level: protect A, Protect B, Top Secret, etc.

• Integrity and Availability - Assess data protection and availability needs.

For example: https://compliance-demo.ironfortdemos.com/en/login/?next=/en

Enter your email and password to log in.

• Tenant Key Information: Verifying your system access

• User Email: Your registered email for auditing purposes

• Last Login Details: To track your previous access

• Iron Fort Support Email: For any login issues or concerns

NOTE: If you recognize the details and are authorized, click "OK" to continue. However, if you are not an authorized user, click "Logout" immediately to exit.

Note: the status should be not started in order to edit the evidence page.

• Fill out the Justification, Description, and Explanation fields to give a thorough rationale for the evidence submission

  

For example: https://compliance-demo.ironfortdemos.com/en/login/?next=/en

Enter your email and password to log in.

• Tenant Key Information: Verifying your system access

• User Email: Your registered email for auditing purposes

• Last Login Details: To track your previous access

• Iron Fort Support Email: For any login issues or concerns

NOTE: If you recognize the details and are authorized, click "OK" to continue. However, if you are not an authorized user, click "Logout" immediately to exit.

Locate and click the Assessment ID of the security assessment where you need to attach evidence.

Note: the status should be not started in order to edit the evidence page.

• Fill out the Justification, Description, and Explanation fields to give a thorough rationale for the evidence submission

  

As part of a security assessment process, Security Practitioners, and Application Owners can submit evidence for controls to a Security Assessor to assessment.

It is important to note, when a control’s evidence is submitted, it is sent to all the security assessors identified in the Security Assessment as Assessors. Therefore, any security assessor can pick up the submitted evidence and perform an assessment.

For example: https://compliance-demo.ironfortdemos.com/en/login/?next=/en

Enter your email and password to log in.

• Tenant Key Information: Verifying your system access

• User Email: Your registered email for auditing purposes

• Last Login Details: To track your previous access

• Iron Fort Support Email: For any login issues or concerns

NOTE: If you recognize the details and are authorized, click "OK" to continue. However, if you are not an authorized user, click "Logout" immediately to exit.

Note: the status should be not started in order to edit the evidence page.

• Fill out the Justification, Description, and Explanation fields to give a thorough rationale for the evidence submission

  

For example: https://compliance-demo.ironfortdemos.com/en/login/?next=/en

Enter your email and password to log in.

• Tenant Key Information: Verifying your system access

• User Email: Your registered email for auditing purposes

• Last Login Details: To track your previous access

• Iron Fort Support Email: For any login issues or concerns

NOTE: If you recognize the details and are authorized, click "OK" to continue. However, if you are not an authorized user, click "Logout" immediately to exit.

Locate and click the Assessment ID of the security assessment where you need to attach evidence.

Note: the status should be not started in order to edit the evidence page.

• Title: Provide a brief name for the POAM item.

• Control: Select the relevant security control.

• Date: Enter the date of the POAM entry.

• Description: Describe the issue and necessary actions.

• Owner: Assign a responsible person for resolution.

• Due Date: Set a deadline for addressing the issue.

• Status: Indicate progress (e.g., Open, In Progress, Closed).

• Control: Select the relevant security control.

• Description: Provide a summary of the risk.

• Justification: Explain why the risk exists and any mitigating factors.

• Owner: Assign responsibility for monitoring the risk.

• Date: Enter the date of the risk entry.

For example: https://compliance-demo.ironfortdemos.com/en/login/?next=/en

Enter your email and password to log in.

• Tenant Key Information: Verifying your system access

• User Email: Your registered email for auditing purposes

• Last Login Details: To track your previous access

• Iron Fort Support Email: For any login issues or concerns

NOTE: If you recognize the details and are authorized, click "OK" to continue. However, if you are not an authorized user, click "Logout" immediately to exit.

For example: https://compliance-demo.ironfortdemos.com/en/login/?next=/en

Enter your email and password to log in.

• Tenant Key Information: Verifying your system access

• User Email: Your registered email for auditing purposes

• Last Login Details: To track your previous access

• Iron Fort Support Email: For any login issues or concerns

NOTE: If you recognize the details and are authorized, click "OK" to continue. However, if you are not an authorized user, click "Logout" immediately to exit.

(Select whether the assessment is for an Application or an Environment.)

• Application: specific software or system

• Environment: network, infrastructure, or cloud setup

• Statement of Sensitivity: Define the data sensitivity level.

• Catalogue: Select applicable security frameworks.

• Security Assessor: Assign a responsible security professional.

• Reviewers: Perform second review assessments of controls assessed by other security assessors and complete assessment for each control.

• Approvers: List individuals who will approve the assessment.

• Threat Risk: Identify potential risks and vulnerabilities.

• Expiry Date: Specify when the security assessment will expire and may require renewal.

For example: https://compliance-demo.ironfortdemos.com/en/login/?next=/en

Enter your email and password to log in.

• Tenant Key Information: Verifying your system access

• User Email: Your registered email for auditing purposes

• Last Login Details: To track your previous access

• Iron Fort Support Email: For any login issues or concerns

NOTE: If you recognize the details and are authorized, click "OK" to continue. However, if you are not an authorized user, click "Logout" immediately to exit.

Note: the status should be not started in order to inherit the evidence.

Note: Only users assigned as Security Assessor, Reviewers, or Approvers have the permission to open the Security Assessment overview details. If you are not, the option will not be available.

• Title: Provide a clear and concise name for the POAM item.

• Control Enhancement: Specify the relevant control enhancement associated with this POAM.

• Date: Enter the current date or the date the issue was identified.

• Description: Add a brief description outlining the issue and the plan to address it.

• Owner: Assign the team member responsible for addressing this POAM.

• Due Date: Set a target date for resolution.

• Status: Select the current status.

• Risk Level: Choose the appropriate risk level.

Note: Only users assigned as Security Assessor, Reviewers, or Approvers have the permission to add POAM on the Security Assessment. If you are not, the option will not be available.

• Control enhancement: Indicate the specific control was added to help reduce the risk.

• Description: Explain the risk that still remains even after applying the controls.

• Justification: State why the remaining risk is acceptable or cannot be reduced further.

• Owner: Identify the person responsible for managing this risk.

• Date: Provide the date when the residual risk was last reviewed or recorded.

Note: Only users assigned as Security Assessor, Reviewers, or Approvers have the permission to add Residual Risk on the Security Assessment. If you are not, the option will not be available.

Note: Only users assigned as Security Assessor, Reviewers, or Approvers have the permission to edit the Security Assessment overview details. If you are not, the option will not be available.

Note: Only users assigned as Security Assessor, Reviewers, or Approvers have the permission to navigate on the Security Assessment overview details. If you are not, the option will not be available.

Note: Only users assigned as Security Assessor, Reviewers, or Approvers have the permission to Print the Security Assessment. If not, the print option will not be available.

Note: Only users assigned as Security Assessor, Reviewers, or Approvers have the permission to download the Security Assessment. If not, the download option will not be available.

Note: the status should be not started in order to edit the evidence page.

Fill out the Justification, Description, and Explanation fields to give a thorough rationale for the evidence submission.

The Addendum feature lets you add custom pages before or after your Security Assessment PDF and Statement of Accepted Risk (SOAR). This is helpful if you want to include a cover page, extra notes, or a page for handwritten signatures—without editing the original document.

To make things easier, you can use a template if you often add the same page. Just select the template, and it will automatically add your custom content. This saves time and keeps your documents consistent and professional.

• Key: Enter the tag's name or identifier.

• Value: Provide the corresponding value for the key.

This tutorial will guide you through the steps to add reviewers to a Security Assessment. It is designed to help users assign the appropriate team members responsible for reviewing and validating the control evidence details.

This tutorial will guide you through the steps to add assessor to a Security Assessment. It is designed to help users assign the appropriate team members responsible for approving and validating assessment details.

This tutorial will guide you through the steps to add approvers to a Security Assessment. It is designed to help users assign the appropriate team members responsible for approving and validating assessment details.