Security Assessment Report/ Plan Of Action And Milestone (POA&M)

  • Security Assessment Report also called the Final Risk Assessment Report documents all the findings and is more thorough than the initial Risk Assessment Report.
  • The SAR has findings and recommendations and no pass controls are included
  • ST&E has both pass and fail controls but no
  • recommendations
  • Both SAR and ST&E are products of the security Assessment
  • Annual Assessment/one third SCA: subset of the controls are assessed (e.g. 1/3 of the total controls)
  • Comprehensive SCA: all controls allocated to the system are tested

Summary

  • The following artifacts are generated at this Phase by the C&A Analyst:
    • Test Plan/SAP (controls that need to be tested, the method of testing, testing procedures and evidence to validate the controls)
  • SCA/ST&E report (has both pass and fail controls but no recommendations)
  • Security Assessment Report (SAR)- (The SAR has findings and recommendations no pass controls are included)
  • Both SAR and ST&E are products of the security Assessment
  • Method of testing
    • Examination
      • Review existing documents (policies, procedures, previous assessment, etc…)
      • Observation-Observe the implementation of controls
      • Walkthrough-Take tour of a building to take note of security control implementation
    • Interview – System Owner, System Administrators, developer etc…..
    • Testing – Test existing control (Test fail login attempt)/ scans and penetration results
error: Content is protected !!