Periodic self-assessments typically should be performed by the organizational unit being assessed. Self-assessments capture subjective opinions on the achievement of objectives. Although they may provide valuable information related to perceived changes in the level of risk and effectiveness of controls, they are affected by the breadth and depth of the assessor's knowledge, the completeness and reliability of information used to complete the assessment, and the assessor's biases. Self-assessment frequency should be a function of the level of assurance needed by the institution, determined by the risk management process. Results from self-assessments can be informative to the overall test and evaluation process. Management should use the results to help strengthen the organizational unit's information security.
IV.A.2 Types of Tests and Evaluations
IV.A.2(b) Penetration Tests