|
The IWC ISSO saw the need for the Security Tests and Evaluations Program (ST&E) process once the IWC CIAPP processes of awareness, access control, and risk management were implemented.
The ST&E function's process was developed in order to incorporate testing and evaluating of total InfoSec processes, environments, hardware, software, and firmware, as a pro-active method to support risk assessments and the evaluations of the systems' components.
The ISSO believed that the auditors' compliance audits were more of a checklist process of ensuring compliance with IWC InfoSec policies and procedures. What was needed, the ISSO reasoned, was a process to actually test InfoSec processes, systems, etc., to determine whether they were meeting the InfoSec needs of IWC—regardless of whether or not they complied with the InfoSec policies and procedures.
For example, the ST&E would include periodically obtaining a userid on a system with various access privileges. The InfoSec staff member, using that identification, would violate that system and attempt to gain unauthorized access to various files, databases, and systems. That information was analyzed in concert with a comparison of the systems' audit trails, thus profiling the InfoSec of a system or network. Also, the ST&E would include a review of records and prior audit trail documents to help establish the "InfoSec environment" being tested and evaluated.
|