What information can observation as an assessment method give which cannot be given by testing

Evaluation methods and their attributes

Both of the primary testing documents from NIST, SP 800-53A and SP 800-115, address various methods and techniques for different kinds of testing activities. SP 800-53A states it as follows:

“Assessment methods have a set of associated attributes, depth and coverage, which help define the level of effort for the assessment. These attributes are hierarchical in nature, providing the means to define the rigor and scope of the assessment for the increased assurances that may be needed for some information systems.

The depth attribute addresses the rigor of and level of detail in the examination, interview, and testing processes. Values for the depth attribute include basic, focused, and comprehensive. The coverage attribute addresses the scope or breadth of the examination, interview, and testing processes including the number and type of specifications, mechanisms, and activities to be examined or tested, and the number and types of individuals to be interviewed.

Similar to the depth attribute, values for the coverage attribute include basic, focused, and comprehensive. The appropriate depth and coverage attribute values for a particular assessment method are based on the assurance requirements specified by the organization.

These attributes are further explained in the supplemental NIST guidance for assessments for each family of controls found on the NIST site. The supplemental guidance is provided to assist the assessment activity for each family of controls as they are reviewed. The action statements provided in the assessment test plans are written using the basic (i.e., foundation) level of assessment depth and coverage attribute values. An increased rigor and/or scope of the action statement can be expressed by replacing the basic level of assessment depth and coverage attribute value with other defined values. The potential attribute values for varying depth and coverage for the assessment methods (Examine, Interview, and Test) in the action statements are as follows:

“Coverage Attribute Values:

Basic Sample attribute value is used to indicate a ‘basic’ level of scope or breath of coverage; that is, a representative sample of assessment objects (by type and number within type) to provide a level of coverage necessary for determining if the control meets the ‘basic’ criteria listed below.

Focused Sample attribute value is available for use to indicate a ‘focused’ level of scope or breadth coverage; that is, an extended basic sample to include other specific assessment objects important to achieving the assessment objective to provide a level of coverage necessary for determining if the control meets the ‘focused’ coverage criteria listed below.

Sufficiently Large Sample attribute value is available for use to indicate a ‘comprehensive’ level of scope or breadth of coverage; that is, an extended focused sample to include more assessment objects to provide a level of coverage necessary for determining if the control meets the ‘comprehensive’ coverage criteria listed below.

Depth Attribute Values:

Specific action verbs identified in SP 800-53A, Appendix D, in the definition of the examine method are employed in the application of the Action Steps of the Assessment Cases to indicate level of rigor for examining the different types of assessment objects (i.e., documentation, activities and mechanisms) as follows:

Examine documentation rigor—‘reading’:

Review attribute value for reading documentation is used for the ‘basic’ level of rigor and level of detail; that is, a high-level examination of documentation looking for required content and for any obvious errors, omissions, or inconsistencies.

Study attribute value for reading documentation is available for use for the ‘focused’ level of rigor and level of detail; that is, an examination of documentation that includes the intent of ‘review’ and adds a more in-depth examination for greater evidence to support a determination of whether the document has the required content and is free of obvious errors, omissions, and inconsistencies.

Analyze attribute value for reading documentation is available for use for the ‘comprehensive’ level of rigor and level of detail; that is, an examination of documentation that includes the intent of both ‘review’ and ‘study’; adding a thorough and detailed analysis for significant grounds for confidence in the determination of whether the required content is present and the document is correct, complete, and consistent.

Examine activities and mechanisms rigor – ‘watching’:

Observe attribute value for watching activities and mechanisms is used for the ‘basic’ level of rigor and level of detail; that is, watching the execution of an activity or process or looking directly at a mechanism (as opposed to reading documentation produced by someone other than the assessor about that mechanism) for the purpose of seeing whether the activity or mechanism appears to operate as intended (or in the case of a mechanism, perhaps is configured as intended) and whether there are any obvious errors, omissions, or inconsistencies in the operation or configuration.

Inspect attribute value for watching activities and mechanisms is available for use for the ‘focused’ level of rigor and level of detail; that is, adding to the watching associated with ‘observe’ an active investigation to gain further grounds for confidence in the determination of whether that the activity or mechanism is operating as intended and is free of errors, omissions, or inconsistencies in the operation or configuration.

Analyze attribute value for watching activities and mechanisms is available for use for the ‘comprehensive’ level of rigor and level of detail; that is, adding to the watching and investigation of ‘observe’ and ‘inspect’ a thorough and detailed analysis of the information to develop significant grounds for confidence in the determination as to whether the activity or mechanism is operating as intended and is free of errors, omissions, or inconsistencies in the operation or configuration. Analysis achieves this by both leading to further observations and inspections and by a greater understanding of the information obtained from the examination.

Interview individual or group rigor:

Basic attribute value for interviewing individuals and groups is used for the ‘basic’ level of rigor and level of detail; that is, a high-level interview looking for evidence to support a determination of whether the control meets the ‘basic’ interview criteria listed below.

Focused attribute value for interviewing individuals and groups is available for use for the ‘focused’ level of rigor and level of detail; that is, an interview that includes the intent of ‘basic’ and adds a more in-depth interview for greater evidence to support a determination of whether the control meets the ‘focused’ interview criteria listed below.

Comprehensive attribute value for interviewing individuals and groups is available for use for the ‘comprehensive’ level of rigor and level of detail; that is, an interview that includes the intent of both ‘basic’ and ‘focused’; adding a thorough and detailed analysis for significant grounds for confidence in the determination of whether the control meets the ‘comprehensive’ interview criteria listed below.

Test Mechanisms and Activities rigor:

Basic attribute value for mechanisms and activities is used for the ‘basic’ level of rigor and level of detail; that is, a basic level of testing looking for evidence to support a determination of whether the control meets the ‘basic’ test criteria listed below.

Focused attribute value for mechanisms and activities is available for use for the ‘focused’ level of rigor and level of detail; that is, a focused level of testing that includes the intent of ‘basic’ and adds a more in-depth testing for greater evidence to support a determination of whether the control meets the ‘focused’ test criteria listed below.

Comprehensive attribute value for mechanisms and activities is available for use for the ‘comprehensive’ level of rigor and level of detail; that is, a comprehensive level of testing that includes the intent of both ‘basic’ and ‘focused’; adding a thorough and detailed analysis for significant grounds for confidence in the determination of whether the control meets the ‘comprehensive’ test criteria listed below.

The depth and coverage attributes do not alter the logical sequencing, totality, or selection of evidence gathering actions; rather these attributes served as providing/supporting degrees of assessment rigor.2

These detailed explanations provide a good basis for understanding the different levels of assessment as well as defining how each attribute is uniquely identified and assessed during the differing levels of assessment: basic, focused, and comprehensive. To the assessor, the method for evaluating a control is often flexible based on organizational requests and assessor experience. Hence, assessor-defined parameters are often identified within the action statement for selecting an appropriate depth (i.e., level of detail required) and coverage (i.e., scope) of application of the assessment method for assessing the security control.

As assurance requirements increase with regard to the development, implementation, and operation of security and privacy controls within or inherited by the information system, the rigor and scope of the assessment activities (as reflected in the selection of assessment methods and objects and the assignment of depth and coverage attribute values) tend to increase as well.

I am going to put together the various criteria for evaluation and the methods interweaving the guidance to give a picture of how the methods, specifications, objects, and the activities work together to build a complete assurance case that is useable, presentable and, as best as possible, comprehensive enough for use in a Security Assessment Report to the organization's executives and authorizing officials.

Assessment Methods

Assessment methods define the nature of the assessor actions and include:

Examine method: The process of reviewing, inspecting, observing, studying, or analyzing one or more assessment objects (i.e., specifications, mechanisms, or activities). The purpose of the examine method is to facilitate assessor understanding, achieve clarification, or obtain evidence.

Interview method: The process of holding discussions with individuals or groups of individuals within an organization to, once again, facilitate assessor understanding, achieve clarification, or obtain evidence.

Test method: The process of exercising one or more assessment objects (i.e., activities or mechanisms) under specified conditions to compare actual with expected behavior.

In all three methods, the results are used in making specific determinations called for in the determination statements and thereby achieving the objectives for the assessment procedure.

5 Life cycle assessment (LCA)

LCA method based on ISO14040 series was utilized to evaluate waste management scenarios shown in Table 2 using commercial LCA software, SimaPro 7.1, with CML 2 baseline 2000 and Eco-indicator 99 methods to assess environmental impacts in two aspects: global warming potential (GWP as CO2 equivalent) and energy usage (as MJ). In this paper, the results of pipe & fitting (size 55 mm) were selected as a representative to study the environmental impacts of waste management scenarios of PVC products after being discarded. The service life-time of pipe & fitting were assumed 50 years with no maintenance required. All scenarios in Table 2 were evaluated for the possible reduction in environmental impacts by comparing with the base case as shown in Figure 5. The results showed that scenario 3 (100% incineration) was shown to have highest impacts in both GWP and energy usage. It should be noted that the study has also taken into account the grid-mix supply of electricity produced based on heating value of PVC. Scenario 1 (100% recycle) was shown to have the lowest impacts which could be attributed to the recovery of PVC to be used as secondary raw materials. From scenarios 4-8, it can be seen that increasing recycling of PVC pipe and fitting from 50% to 90% (scenario 4-8) could help reduce the environmental impacts significantly. By comparing with the base case scenario, GWP and energy resource used could be reduced as high as 22-58% and 12-37%, respectively. This clearly means that more recycle is better to the environment.

SP 800-53A

An assessment procedure consists of a set of assessment objectives, each with an associated set of potential assessment methods and assessment objects. An assessment objective includes a set of determination statements related to the particular security or privacy control under assessment. The determination statements are linked to the content of the security or privacy control (i.e., the security/privacy control functionality) to ensure traceability of assessment results back to the fundamental control requirements. The application of an assessment procedure to a security or privacy control produces assessment findings. These findings reflect, or are subsequently used, to help determine the overall effectiveness of the security or privacy control.

Assessment objects identify the specific items being assessed and include specifications, mechanisms, activities, and individuals. Specifications are the document-based artifacts (e.g., policies, procedures, plans, system security and privacy requirements, functional specifications, architectural designs) associated with an information system. Mechanisms are the specific hardware, software, or firmware safeguards and countermeasures employed within an information system. Activities are the specific protection-related actions supporting an information system that involve people (e.g., conducting system backup operations, monitoring network traffic, exercising a contingency plan). Individuals, or groups of individuals, are people applying the specifications, mechanisms, or activities described above.

Assessment methods define the nature of the assessor actions and include examine, interview, and test. The examine method is the process of reviewing, inspecting, observing, studying, or analyzing one or more assessment objects (i.e., specifications, mechanisms, or activities). The purpose of the examine method is to facilitate assessor understanding, achieve clarification, or obtain evidence. The interview method is the process of holding discussions with individuals or groups of individuals within an organization to once again, facilitate assessor understanding, achieve clarification, or obtain evidence. The test method is the process of exercising one or more assessment objects (i.e., activities or mechanisms) under specified conditions to compare actual with expected behavior. In all three assessment methods, the results are used in making specific determinations called for in the determination statements and thereby achieving the objectives for the assessment procedure.

Assessment methods have a set of associated attributes, depth and coverage, which help define the level of effort for the assessment. These attributes are hierarchical in nature, providing the means to define the rigor and scope of the assessment for the increased assurances that may be needed for some information systems. The depth attribute addresses the rigor of and level of detail in the examination, interview, and testing processes. Values for the depth attribute include basic, focused, and comprehensive. The coverage attribute addresses the scope or breadth of the examination, interview, and testing processes including the number and type of specifications, mechanisms, and activities to be examined or tested, and the number and types of individuals to be interviewed. Similar to the depth attribute, values for the coverage attribute include basic, focused, and comprehensive. The appropriate depth and coverage attribute values for a particular assessment method are based on the assurance requirements specified by the organization. As assurance requirements increase with regard to the development, implementation, and operation of security and privacy controls within or inherited by the information system, the rigor and scope of the assessment activities (as reflected in the selection of assessment methods and objects and the assignment of depth and coverage attribute values) tend to increase as well.3

“In addition to selecting appropriate assessment methods and objects, each assessment method (i.e., examine, interview, and test) is associated with depth and coverage attributes that are described in (SP 800-53A), Appendix D. The attribute values identify the rigor and scope of the assessment procedures executed by the assessor. The values selected by the organization are based on the characteristics of the information system being assessed (including assurance requirements) and the specific determinations to be made. The depth and coverage attribute values are associated with the assurance requirements specified by the organization (i.e., the rigor and scope of the assessment increases in direct relationship to the assurance requirements).4

RMF step 4—assess security controls

The purpose of the Assess step is to determine if the controls selected for implementation are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security and privacy requirements for the system and the organization.

SP 800-37, rev. 2 Table 7.1 provides a summary of tasks and expected outcomes for the RMF Assess step. Applicable Cybersecurity Framework constructs are also provided (Fig. 7.1).

Table 7.1. Assess tasks and outcomes5.

Tasks	Outcomes
TASK A-1 ASSESSOR SELECTION	• An assessor or assessment team is selected to conduct the control assessments.
• The appropriate level of independence is achieved for the assessor or assessment team selected.
TASK A-2 ASSESSMENT PLAN	• Documentation needed to conduct the assessments is provided to the assessor or assessment team.
• Security and privacy assessment plans are developed and documented.
• Security and privacy assessment plans are reviewed and approved to establish the expectations for the control assessments and the level of effort required.
TASK A-3 CONTROL ASSESSMENTS	• Control assessments are conducted in accordance with the security and privacy assessment plans.
• Opportunities to reuse assessment results from previous assessments to make the risk management process timely and cost-effective are considered.
• Use of automation to conduct control assessments is maximized to increase speed, effectiveness, and efficiency of assessments.
TASK A-4 ASSESSMENT REPORTS	• Security and privacy assessment reports that provide findings and recommendations are completed.
TASK A-5 REMEDIATION ACTIONS	• Remediation actions to address deficiencies in the controls implemented in the system and environment of operation are taken.
• Security and privacy plans are updated to reflect control implementation changes made based on the assessments and subsequent remediation actions. [Cybersecurity Framework: Profile]
TASK A-6 PLAN OF ACTION AND MILESTONES	• A plan of action and milestones detailing remediation plans for unacceptable risks identified in security and privacy assessment reports is developed. [Cybersecurity Framework: ID.RA-6]

As part of the Risk Management Framework, SP 800-37, rev. 2 provides an updated listing of the tasks and guidance for each task during the prosecution of the Assessment Phase.

Figure 7.1. SP 800-53A assessment case flow.

Assessment Methods

Despite the number and variety of risk assessment methods, approaches to risk assessment typically belong to one of three categories: quantitative, qualitative, or hybrid [62]. Quantitative risk assessment incorporates numeric values produced via direct measurement or observation or obtained through empirical evidence to enable use of mathematical and statistical analysis methods. Quantitative assessments express asset valuation and impact in dollars, time, or other continuous values, and use probability calculations or estimates to determine likelihood. Where objective, accurate measures are available, quantitative risk assessments produce risk determinations easily compared to each other and well suited to cost-benefit analysis. Quantitative assessments facilitate risk ranking and prioritization activities, but their validity depends on the ability of risk assessors to accurately determine values used in risk calculations. The emphasis on numeric scoring can give the impression of clear differences among risk ratings where no significant differences actually exist.

Qualitative assessments measure risk factors using categorical or ordinal ratings, often relying on the knowledge and expertise of risk assessors to correctly apply subjective and relative values. NIST information security standards and guidelines often use qualitative assessment scales, such as the low/moderate/high ratings used in security categorization. Qualitative analysis can be easier to apply than quantitative alternatives, particularly in public sector contexts where operational performance is not often measured in quantitative terms such as revenue or profit. Challenges associated with qualitative assessments include the inherent subjectivity associated with assigning ratings to risk factors and the difficulty in making meaningful differentiations and prioritizing among risk determinations with similar assigned values.

Hybrid assessment methods—often called “semi-quantitative” or “pseudo-quantitative”—add numerical scales to ordinal rating levels to support statistical analysis and facilitate better differentiation among assessed values and risk determinations than in purely qualitative approaches. The guidance on conducting risk assessments in Special Publication 800-30 Revision 1 uses this type of approach, defining five ordinal rating values (very low, low, moderate, high, and very high) for assessing threat sources, vulnerabilities, likelihood, impact, and risk, and assigning numeric rating scales to each value (0–4, 5–20, 21–79, 80–95, and 96–100, respectively) [63].

Warning

The use of numeric rating scales with qualitative assessment values does not change the subjectivity inherent in the rating process. Organizations hoping to improve their ability to compare and rank risk using semi-qualitative ratings must provide clear guidance and rating criteria to risk assessors to ensure that assessment ratings are used consistently.

Depth and Coverage

For each assessment method described in Appendix D of Special Publication 800-53A (examine, interview, and test), the level of detail sought in the control assessment and scope of the assessment process is indicated using attributes for depth and coverage. The possible values for depth and coverage attributes are the same: “basic,” “focused,” or “comprehensive.” Appendix D of Special Publication 800-53A describes the implications of each depth and coverage attribute value, as summarized in Table 11.4, giving system owners and security control assessors explicit guidance how to conduct assessment activities at a level of assurance appropriate for the information system’s assigned impact level. Minimum assurance requirements for low-, medium-, and high-impact systems are specified in Appendix E of Special Publication 800-53 [33], while Special Publication 800-53A applies those requirements to each assessment method [1].

Table 11.4. Assessment Guidance by Depth and Coverage Attribute [32]

As with assessment methods and objects, security assessment report detail should include the depth and coverage attributes corresponding to each assessed control, to give some indication to readers of the report as to the rigor and scope of the assessment procedures that were followed.

2 Assessment methodology

The traditional assessment methods used in bachelor and master process control courses are usually based on the traditional components: exercises assignments, homeworks or tests and a final exam. An effective instructor understands that it is not enough to present course material to students and hope that they get it, assuming that some will and some will not. Learning occurs when there is an interplaying between the teaching process and the outcome. This paper presents a non-traditional method for assessing the students’ skills developed in the above mentioned Portuguese computer aided advanced process control courses which include three components: 1) an APC project performed in groups of two students using MATLAB with Simulink, and the Control System and MPC Toolboxes; 2) an individual test performed in software MATLAB/Simulink in class or three individual homework exercises, and 3) an oral presentation of the project as a 20 min seminar equally shared between both members of the group, followed by 15 min of discussion. A final exam is also available and can be used as the unique assessment method but the students always prefer the proposed assessment methodology based on the above mentioned 3 components. The case study APC project is the main assessment component accounting for an assessment weight between 50% and 65 %, allowing another concept adopted in our teaching strategy which is encouraging students team working. MATLAB package with Simulink, and the Control System and MPC Toolboxes are used during these courses and in the APC project.

The case study process provided to the students as a non-linear mathematical model or as a Simulink model of the “real” process plant allows to investigate and apply various control concepts, the tuning of the implemented controllers, and the performance and robustness of the proposed control strategies to meet the control objectives.

The students attending these courses may have different backgrounds and an additional effort may be required for some of them. The individual test or the homework exercises are used as individual assessment components to establish a grounding or a base line for all the students before starting to work on the APC project, reviewing introductory process control concepts and refreshing MATLAB. This component also contributes to a fair assessment as they provide individual grading for each student.

The idea for the assessment seminar is to “simulate” a more realistic and professional scenario in real industry, where the oral presentations will be framed. So, it is not expected that the students make their oral presentations in a classical academic fashion presenting all the work developed within the project, but that the students be selective and imaginative having in mind the following scenario: each group represents a “Process Control Engineer” of the process control department of a certain industry, that must present the objectives for changing the present control system, identifying some or many of the present control problems in the plant, and also present the main results of the study, conclusions and suggestions for changes in the present base case control structure by proposing a new advanced control system with operational advantages.

5 Conclusion

This study shows that LCA methods influence the structure and consequently the economic performance of bioethanol supply chains (Impact 2002+: NPV = −890 M€; Eco-Indicator 99: NPV = 990 M€; ReCiPe: NPV = - 996 M€)‥ In this sense, decision makers should carefully select the LCA method to apply in their projects, selecting them according to their features and final purpose. Moreover, this fact shows that decisions cannot be taken only based on environmental factors and that multi-objective approaches should be considered when assessing environmental concerns. This work also leads to an important future research path, where LCA methods should be studied in more detail so that some guidelines can be given in terms of the best method to apply.

Abstract

The life cycle assessment method was applied to identify the stages of the industrial water production system in an oil refinery and analyze the energy demand, carbon footprint and water footprint in order to propose scenarios for improvements. Based on the data collection carried out in the field, the inventory of the product system was elaborated in Simapro software with the ecoinvent database. Impact assessment methods applied were Cumulative Energy Demand (CED), Intergovernmental Panel on Climate Change (IPCC) (2013) and Available Water Remaining (AWARE). It was noticed that water losses represent 59% and electricity consumption 0.92 kWh per m3 of distributed water. The proposed scenarios to use more efficient frequency inverters in water uptake, water capture in the nearest place and water losses reduction combined resulted in 28% water losses and 0.33 kWh of electricity consumption per m3 of distributed water. The proposed scenarios combined also reduced CED by 51%, carbon footprint by 47% and water footprint by 39%. The proposed actions are part of the rationalization and eco-efficiency strategies of water use in oil refineries.

5 Case Study

The proposed performance assessment method is used to evaluate the performance of temperature control loops using a proportional controller for different controller gains in free radical solution polymerization of styrene. A process variable, temperature, is used as a controlled variable. Due to the space limitation, the mathematical model is listed here and readers can refer to Schmidt & Ray (1981). Most of the parameter values are taken from Hidalgo & Brosilow (1990). The operating conditions are taken from Tatiraju et al. (1999).

The model has the vector of three non-distribution state variables s=[CICMT ] (initiator concentration, monomer concentration and temperature) and the vector of N = 200 distribution variables at several chain length locations on the MWD output γ=[CM2CM2+ΔnCM2+2ΔnCM2+3Δn⋯CMn,max]T⋅Q is the heading rate which is the control input, and the vector of two disturbance variables (inlet initiator concentration and inlet temperature) is ε=[CI,iTI] T. The MWD function γ―(y) is approximated by a linear combination of m = 35 B spline cubic wavelet functions. For a temperature proportional controller, the control law is given by

(10) Q―k=KpT―k-1=Kp z-1T―k

Eqn (10) is substituted into the transfer function relating temperature T to the control input Q and disturbance variable inlet initiator concentration CI,i s and inlet feed temperature TI to get

(11)T―k=[GT,C(z-1)GT,T(z-1)][CI,i,kTI,k]=GT(z-1)ε―k

Eqn (11) shows the relationship between the disturbances and the fluctuations in temperatures for a proportional controller with a specified gain. The disturbances, namely fluctuations in inlet initiator concentration and inlet feed temperature, are assumed to follow a Gaussian distribution with mean zero and standard deviations of 0.06 and 20. The PDF of temperature is based on two controller gains namely - 0.8 and - 0.08 respectively. Since it assumes that controlling fluctuations in MWD are indirectly done by controlling temperature fluctuations, it is speculated that the MWD fluctuations under the controller with higher gain would be smaller than those with a smaller gain. The overall PDF can be calculated using Eqn (9) shown in Figure 1 and 2. It is found that most of the deviations are very close to zero and that only certain distribution values deviate significantly from the target distribution and the performance for the controller gain of - 0.8 is better. Using the proposed method, the conclusion can indeed be obtained and plots of PDFs for overall MWD fluctuations can be obtained together with the variance of the PDF. The PDF curve for the overall MWD fluctuation will be narrower and the variance smaller when the controller has higher gain