Test Plan/ Security Test And Evaluation (ST&E) Q1-2023

  • The test plan specifies the controls that needs to be tested, the method of testing, testing procedures and evidence needed to validate the controls
  • SCA/ST&E is the process of conducting assessment and evaluating validation documents in order to determine whether the controls are adequately implemented. 

The following terms are used to show a control evaluation status

  • Satisfy
  • Other than satisfy
  • Inherited
  • Not Applicable
  • Other
  • Fail
  • Pass

Method of Testing:

  • Examination
    • Review existing documents (policies, procedures, previous assessment, etc.…)
    • Observation-Observe the implementation of controls
    • Walkthrough-Take tour of a building to take note of security control implementation
  • Interview – System Owner, System Administrators, developer etc.…..
  • Testing – Test existing control (Test fail login attempt)/scans and penetration results
  • In most cases the test plan with testing results is termed Security Test and evaluation (ST&E) Report or Security Control Assessment (SCA) report
  • SP 800-53A specifies methods of testing, testing procedures and evidence to validate the controls

http://csrc.nist.gov/publications/nistpubs/80053A rev1/sp80053Arev1final.pdf

