The following artifacts are generated at this Phase by the C&A Analyst:
- Security Assessment Plan (SAP)/Test Plan: controls that need to be tested, the method of testing, testing procedures and evidence to validate the controls
- Security Control Assessment (SCA)Security Test and evaluation (ST&E) report: has both satisfy and other than satisfy controls but no recommendations
- Security Assessment Report (SAR): The SAR has findings (other than satisfy controls) and recommendations (satisfy controls are included)
- Both SAR and SCA/ST&E reports are products of the Security Assessment
Method of Testing
- Examination–
- Review existing documents (policies, procedures, previous assessment, etc…)
- Observation-Observe the implementation of controls
- Walkthrough-Take tour of a building to take note of security control implementation
- Interview-System owner, system administrators, developer etc…..
- Testing– test existing control (Test fail login attempt)/ scans and penetration
NIST Publications