- The test plan specifies the controls that needs to be tested, the method of testing, testing procedures and evidence needed to validate the controls
- SCA/ST&E is the process of conducting assessment and evaluating validation documents in order to determine whether the controls are adequately implemented.
The following terms are used to show a control evaluation status
- Satisfy
- Other than satisfy
- Inherited
- Not Applicable
- Other
- Fail
- Pass
Method of Testing:
- Examination
- Review existing documents (policies, procedures, previous assessment, etc.…)
- Observation-Observe the implementation of controls
- Walkthrough-Take tour of a building to take note of security control implementation
- Interview – System Owner, System Administrators, developer etc.…..
- Testing – Test existing control (Test fail login attempt)/scans and penetration results
- In most cases the test plan with testing results is termed Security Test and evaluation (ST&E) Report or Security Control Assessment (SCA) report
- SP 800-53A specifies methods of testing, testing procedures and evidence to validate the controls
http://csrc.nist.gov/publications/nistpubs/800–53A– rev1/sp800–53A–rev1–final.pdf