Security Assessment Report/ Plan Of Action And Milestone (POA&M)
- Security Assessment Report also called the Final Risk Assessment Report documents all the findings and is more thorough than the initial Risk Assessment Report.
- The SAR has findings and recommendations and no pass controls are included
- ST&E has both pass and fail controls but no
- recommendations
- Both SAR and ST&E are products of the security Assessment
- Annual Assessment/one third SCA: subset of the controls are assessed (e.g. 1/3 of the total controls)
- Comprehensive SCA: all controls allocated to the system are tested
Summary
- The following artifacts are generated at this Phase by the C&A Analyst:
- Test Plan/SAP (controls that need to be tested, the method of testing, testing procedures and evidence to validate the controls)
- SCA/ST&E report (has both pass and fail controls but no recommendations)
- Security Assessment Report (SAR)- (The SAR has findings and recommendations no pass controls are included)
- Both SAR and ST&E are products of the security Assessment
- Method of testing
- Examination
- Review existing documents (policies, procedures, previous assessment, etc…)
- Observation-Observe the implementation of controls
- Walkthrough-Take tour of a building to take note of security control implementation
- Interview – System Owner, System Administrators, developer etc…..
- Testing – Test existing control (Test fail login attempt)/ scans and penetration results
error: Content is protected !!
Login
Accessing this course requires a login. Please enter your credentials below!