Home  /  Empower and Protect  /  IT GRC Geek Speak: Body of Evidence

IT GRC Geek Speak: Body of Evidence

By Rick Tracy •  August 9, 2016
IT GRC body of evidence

IT GRC Geek Speak is a blog series that seeks to help define common language and jargon used around the IT Governance, Risk and Compliance (GRC) space.  If commonly defined terms are used to discuss security and compliance, it will be easier for people at every level of the organization, from CISOs to the board of directors, to communicate about compliance and risk management more effectively.


What is a body of evidence and why do you need it?

NIST defines body of evidence as:

The totality of evidence used to substantiate trust, trustworthiness, and risk relative to the system.

Essentially, a body of evidence is necessary to demonstrate to business partners, regulators, or in a court of law that reasonable security practices and due care exist within an organization.

In some industries the standards are regulated or mandated, and it is essential to maintain a body of evidence to demonstrate compliance.

Other industries require a body of evidence to authorize a system for use.  For example, within the Federal Government it is essential to demonstrate with evidence and artifacts, that a system meets certain security requirements before the system is activated and trusted to process and store sensitive information.

In many industries, a body of evidence is important to understand the trustworthiness of business partners that are part of your supply chain.

Insurance companies are increasingly interested in a body of evidence to justify cyber risk indemnification, coverage levels, premiums, and deductibles.

Lastly, as a result of recent high profile breaches it should be noted that bodies of evidence would have been helpful as a legal defense, demonstrating due care in court of law.

Beyond using bodies of evidence to demonstrate trustworthiness among and between external parties, they can also be used to effectively communicate internal risk and compliance posture to all levels of an organization – from the server room to the board room.

By operationalizing information and cyber risk frameworks such as the NIST RMF, NIST CSF, and ISO 27001 the Xacta IT GRC platform helps create a comprehensive body of evidence in accordance with internationally recognized standards. Designed with security in mind, Xacta helps ensure data integrity of the body of evidence via role based access, defined user permissions, and audit logs.

Do you have a body of evidence that shows your organization is secure and compliant?  Click here to learn more about how Xacta can help you establish a meaningful body of evidence needed to address a variety of business requirements.


Rick Tracy

Rick Tracy

Rick Tracy is the senior vice president and chief security officer at Telos Corporation. Follow him on Twitter: @rick_tracy See full bio...

The Empower and Protect Blog brings you cybersecurity and information technology insights from top industry experts at Telos.

Leave a Reply

Your email address will not be published.