NSTSSI Security Education Standards
7. CERTIFICATION EVALUATION a. Evaluation Techniques 1) use appropriate evaluation techniques, e.g., documentation review, automated tools, and written test plan and procedures, etc., in the conduct of the security test and evaluation; 2) choose the evaluation technique(s) to exercise and evaluate security countermeasures or capabilities documented in the SSAA; and 3) generate and/or validate the security test and evaluation plan and procedures. b. Access Control 1) verify that access controls meet the criteria established in the SSAA; 2) document the results of the ST&E access control tests; and 3) describe the ST&E testing results for access controls. c. Contingency Planning/Testing 1) appraise the effectiveness of the contingency plan as described in the SSAA; and 2) document the effectiveness of the contingency plan. d. Audit Trail 1) demonstrate that the audit trail is secure from unauthorized alteration and deletion, and 2) document the results; and 3) appraise whether the audit trail meets the requirements as defined in the SSAA and document the results. e. Intrusion Detection 1) verify the presence of intrusion detection capabilities as defined in the SSAA and document the results; 2) demonstrate that the intrusion detection mechanisms work as outlined in the SSAA and document the results; and 3) analyze the effectiveness of the intrusion detection capabilities and document the results. f. Security Processing Mode 1) verify that the security processing mode has been identified; 2) justify any suggested change in the security processing mode, if found to be inadequate or inappropriate, and document the results; and 3) appraise whether or not the defined security processing mode is adequate for approving system certification, and document the results. g. Automated Security Tools 1) identify appropriate security tools and document the results; 2) appraise and document whether or not the automated security tools produce the expected results; 3) use the available security analysis tools appropriate to the defined information system to find security anomalies and document the results; 4) interpret the results of automated security analysis; and 5) justify any suggested security relevant changes found by the tools and document the results. h. Application Security 1) appraise whether or not application security features produce the expected results and document the results; and 2) verify the presence of and the appropriate use of application security features, and document the results. i. Disaster Recovery Planning 1) verify the presence of a disaster recovery plan as documented in the SSAA; 2) appraise the effectiveness of the disaster recovery plan as described in the SSAA; and 3) document the results of this verification and appraisal. j. Change Control Policies 1) verify the implementation of the change control management processes; 2) verify the presence of change control policies as documented in the SSAA; and 3) document the results of this verification. k. Labeling verify and document that labeling is accomplished in accordance with the requirements documented in the SSAA. l. Marking of Media verify and document that all media in use is marked as appropriate, based on the requirements defined in the SSAA. m. Documentation Issues 1) report conformance/non-conformance to the specified system certification documentation requirements; 2) verify the presence of system standard operating procedures; 3) verify that the SSAA has been validated from the DAA/CA perspective; 4) verify that the appointment of personnel with any level of privileged access has been identified in writing, as required; and 5) verify the presence of documentation or a manual used by the system administrator (SA) and information system security officer (ISSO) to set up the system security configuration. n. Operating System Integrity 1) demonstrate that the operating system integrity capabilities are present in the information system by incorporating operating system configuration management guidelines, including installing the latest patches and consulting with available experts and references, and by updating and testing these guidelines often; 2) report the results of the ST&E pertaining to operating system integrity; and 3) verify that the operating system integrity capabilities present in the information system are managed and work as defined in the SSAA. o. Protecting From Malicious/Mobile Code 1) use the available tools to test the system capabilities in order to identify residual risk; 2) verify that appropriate capabilities are resident in the system to mitigate risk from malicious/mobile code contamination; and 3) document the results of testing to support the system residual risk analysis. p. Coordination with Related Security Discipline 1) report, when required, the results of related security discipline testing; and 2) verify that there are countermeasures defined in the SSAA for physical security, personnel security, all aspects of INFOSEC, etc. q. Testing Implementation of Security Features 1) test and verify the effectiveness of all security features, such as password aging and internal labeling, and document the results; and 2) analyze the impact of the absence of security features that are necessary for secure systems operations, and categorize the residual risk.