Security Control Assessment Phase 4 Q1-2022

The following artifacts are generated at this Phase by the C&A Analyst:

  • Security Assessment Plan (SAP)/Test Plan: controls that need to be tested, the method of testing, testing procedures and evidence to validate the controls
  • Security Control Assessment (SCA)Security Test and evaluation (ST&E) report: has both satisfy and other than satisfy controls but no recommendations
  • Security Assessment Report (SAR): The SAR has findings (other than satisfy controls) and recommendations (satisfy controls are included)
  • Both SAR and SCA/ST&E reports are products of the Security Assessment

Method of Testing

  • Examination
    • Review existing documents (policies, procedures, previous assessment, etc…)
    • Observation-Observe the implementation of controls
    • Walkthrough-Take tour of a building to take note of security control implementation
  • Interview-System owner, system administrators, developer etc…..
  • Testing– test existing control (Test fail login attempt)/ scans and penetration

NIST Publications

  • SP 800-53A
  • SP 800-53
error: Content is protected !!