- The test plan specifies the controls that needs to be tested, the method of testing, testing procedures and evidence needed to validate the controls
- SCA/ST&E is the process of conducting assessment and evaluating validation documents in order to determine whether the controls are adequately implemented.
The following terms are used to show a control evaluation status
- Other than satisfy
- Not Applicable
Method of Testing:
- Review existing documents (policies, procedures, previous assessment, etc.…)
- Observation-Observe the implementation of controls
- Walkthrough-Take tour of a building to take note of security control implementation
- Interview – System Owner, System Administrators, developer etc.…..
- Testing – Test existing control (Test fail login attempt)/scans and penetration results
- In most cases the test plan with testing results is termed Security Test and evaluation (ST&E) Report or Security Control Assessment (SCA) report
- SP 800-53A specifies methods of testing, testing procedures and evidence to validate the controls