 NSTSSI Security Education Standards |
| NSTSSI Security Education Standards |
7. CERTIFICATION EVALUATION
a. Evaluation Techniques
1) use appropriate evaluation techniques, e.g., documentation review,
automated tools, and written test plan and procedures, etc., in the conduct of the security test
and evaluation;
2) choose the evaluation technique(s) to exercise and evaluate security
countermeasures or capabilities documented in the SSAA; and
3) generate and/or validate the security test and evaluation plan and
procedures.
b. Access Control
1) verify that access controls meet the criteria established in the SSAA;
2) document the results of the ST&E access control tests; and
3) describe the ST&E testing results for access controls.
c. Contingency Planning/Testing
1) appraise the effectiveness of the contingency plan as described in the SSAA;
and
2) document the effectiveness of the contingency plan.
d. Audit Trail
1) demonstrate that the audit trail is secure from unauthorized alteration and
deletion, and
2) document the results; and
3) appraise whether the audit trail meets the requirements as defined in the
SSAA and document the results.
e. Intrusion Detection
1) verify the presence of intrusion detection capabilities as defined in the SSAA
and document the results;
2) demonstrate that the intrusion detection mechanisms work as outlined in
the SSAA and document the results; and 3) analyze the effectiveness of the intrusion detection capabilities and
document the results.
f. Security Processing Mode
1) verify that the security processing mode has been identified;
2) justify any suggested change in the security processing mode, if
found to be inadequate or inappropriate, and document the results; and
3) appraise whether or not the defined security processing mode is
adequate for approving system certification, and document the results.
g. Automated Security Tools
1) identify appropriate security tools and document the results;
2) appraise and document whether or not the automated security tools
produce the expected results;
3) use the available security analysis tools appropriate to the defined
information system to find security anomalies and document the results;
4) interpret the results of automated security analysis; and
5) justify any suggested security relevant changes found by the tools and
document the results.
h. Application Security
1) appraise whether or not application security features produce the expected
results and document the results; and
2) verify the presence of and the appropriate use of application security
features, and document the results.
i. Disaster Recovery Planning
1) verify the presence of a disaster recovery plan as documented in the SSAA;
2) appraise the effectiveness of the disaster recovery plan as described in the
SSAA; and
3) document the results of this verification and appraisal.
j. Change Control Policies
1) verify the implementation of the change control management processes;
2) verify the presence of change control policies as documented in the SSAA;
and
3) document the results of this verification.
k. Labeling
verify and document that labeling is accomplished in accordance with the
requirements documented in the SSAA.
l. Marking of Media
verify and document that all media in use is marked as appropriate, based on
the requirements defined in the SSAA.
m. Documentation Issues
1) report conformance/non-conformance to the specified system certification
documentation requirements;
2) verify the presence of system standard operating procedures;
3) verify that the SSAA has been validated from the DAA/CA perspective;
4) verify that the appointment of personnel with any level of privileged access
has been identified in writing, as required; and
5) verify the presence of documentation or a manual used by the system
administrator (SA) and information system security officer (ISSO) to set up the system security
configuration.
n. Operating System Integrity
1) demonstrate that the operating system integrity capabilities are present in
the information system by incorporating operating system configuration management
guidelines, including installing the latest patches and consulting with available experts and
references, and by updating and testing these guidelines often;
2) report the results of the ST&E pertaining to operating system integrity; and
3) verify that the operating system integrity capabilities present in the
information system are managed and work as defined in the SSAA.
o. Protecting From Malicious/Mobile Code
1) use the available tools to test the system capabilities in order to identify
residual risk;
2) verify that appropriate capabilities are resident in the system to mitigate
risk from malicious/mobile code contamination; and
3) document the results of testing to support the system residual risk analysis.
p. Coordination with Related Security Discipline
1) report, when required, the results of related security discipline testing; and
2) verify that there are countermeasures defined in the SSAA for physical
security, personnel security, all aspects of INFOSEC, etc.
q. Testing Implementation of Security Features
1) test and verify the effectiveness of all security features, such as password
aging and internal labeling, and document the results; and
2) analyze the impact of the absence of security features that are necessary for
secure systems operations, and categorize the residual risk.