At this point, we have developed a security test methodology and plan for evaluating the security of our system under test, conducted the test plan activities, produced the evidence to support the results of the testing, and then built reports for supporting the findings and conclusion as documented in the Security Assessment Report or other report to the supervisory and executive staff.
The evaluation and assessment of security and security controls involves much more than just looking at documents and running scan tools, although a lot of pundits would say that is all that is needed. Today’s breaches, threats, and vulnerabilities all tell us that viewpoint is incorrect and doomed for failure and “front-page” news articles.
Understanding the variable nature of security control options as found in SP 800-53, the various ways and techniques to test and evaluate these controls as found in SP 800-53A, and the varied and diverse methods and tactics employed to breach our networks and our responses as found in SP 800-115 all give us an understanding and hope that we stay ahead of the adversary, understand his or her TTPs, and keep him or her at bay while conducting our business and achieving success in our mission.