Security Tests and Evaluations Program


The IWC ISSO saw the need for the Security Tests and Evaluations Program (ST&E) process once the IWC CIAPP processes of awareness, access control, and risk management were implemented.

The ST&E function's process was developed in order to incorporate testing and evaluating of total InfoSec processes, environments, hardware, software, and firmware, as a pro-active method to support risk assessments and the evaluations of the systems' components.

The ISSO believed that the auditors' compliance audits were more of a checklist process of ensuring compliance with IWC InfoSec policies and procedures. What was needed, the ISSO reasoned, was a process to actually test InfoSec processes, systems, etc., to determine whether they were meeting the InfoSec needs of IWC—regardless of whether or not they complied with the InfoSec policies and procedures.

For example, the ST&E would include periodically obtaining a userid on a system with various access privileges. The InfoSec staff member, using that identification, would violate that system and attempt to gain unauthorized access to various files, databases, and systems. That information was analyzed in concert with a comparison of the systems' audit trails, thus profiling the InfoSec of a system or network. Also, the ST&E would include a review of records and prior audit trail documents to help establish the "InfoSec environment" being tested and evaluated.




The Information Systems Security Officer's Guide. Establishing and Managing an Information Protection Program
The Information Systems Security Officers Guide: Establishing and Managing an Information Protection Program
ISBN: 0750698969
EAN: 2147483647
Year: 2002
Pages: 204

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net