Develop Security Test Plans and Procedures (k)
AMS Lifecycle Phase: Solution Implementation
Description:
The security controls developed for a new information system must be tested and evaluated prior to deployment to ensure that the controls are working properly and are effective. Some types of security controls (primarily those controls of a non-technical nature) cannot be tested and evaluated until the information system is deployed - these are typically management, technical and operation level controls. For these security controls that can be assessed prior to deployment, a security test plan and test result report is developed. This plan guides the security testing and evaluation of the security controls for that system.
Security testing should confirm that the assumptions in the system security requirements have been implemented as assumed and that the total set of security controls are adequate to reduce the residual risks to an acceptable level.
If possible, an independent third-party should be involved in the testing of the security controls on the system. This test should give an unbiased view of the system and find vulnerabilities that may have been overlooked previously.
Tasks:
- Develop Security Test Plan and Test Results Report document
- Develop Security Test procedures
- Review the latest Security Controls for that system
- Test the system
- Bring in an independent third party to perform additional testing
- Update the Security Test Plan and Test Result Report based on results of the tests
Resources:
- NIST Special Publication 800-64, Security Considerations in the Information System Development Life Cycle
- NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems
- FAA's ISS Handbook
- ATO - Information Systems Security Program Implementation Guide (SCAP)