The primary objective of an effective security program is to establish, maintain, and periodically evaluate the safeguards to protect information at an acceptable level of risk. Critical components are to include cyber-security requirements in every stage of ICT acquisition. Figure 6.3 below lists the critical components to a Security Assessment.
If and when current developers are not knowledgeable about cyber security or The Agency’s methodologies have not kept up with the need for securing cyber defences, IV&V Provider capabilities and services are needed.
IV&V Provider will assist to assess that The Agency has the following capabilities:
- follows cyber-informed processes,
- offers attack surface testing,
- has traceability of test kill chains,
- has red and blue team testing, i.e. offensive and defensive testing capabilities respectively, and
- has cyber event testing tool suites.
As an example, the IV&V Provider will test to deter, detect, disrupt, and defeat threats, by augmenting The Agency’s official security personnel’s’ skills and competencies.
6.2.1 Security Assessment Methodology
Typical IV&V methodologies for conducting security testing involves a four (4) step process, where the IV&V Provider will perform the following steps to achieve the following outputs:
- Step 1 – Preparation of Test Objectives.
- Step 2 – Preparation of a Draft Security Test and Evaluation Plan.
- Step 3 – Development of Security Test and Evaluation Procedures.
- Step 4 – Preparation of an Security Test and Evaluation Report.
The methodology is illustrated in Figure 6.4 below.
The following Table 6.1 describes the Security Assessment activities.