The Technical Guide to Information Security Testing and Assessment (also known by the catchy title NIST SP800-115) was published by the National Institute of Standard and Technology (NIST) in 2008.
It provides a relatively high-level overview for designing, implementing and maintaining technical information security test and examination processes and procedures. It is aimed at supporting organisations in planning and executing tests in finding vulnerabilities in a system or network and verifying compliance with a policy or other requirements.
The guide describes three main methods of assessment:
- Testing – executing technical tests on the target networks and systems
- Examination – the main non-technical assessment process of checking, inspecting, reviewing, observing, studying or analysing
- Interviews – another non-technical assessment method described as a process of conducting discussions with individuals or groups within an organisation to facilitate understanding, achieve clarification, or identify the location of evidence
NIST SP800-115 divides a security assessment project into three phases:
- Planning covers the initial stages of the project, such as information gathering, asset identification and threat modelling
- Execution mainly focuses on finding system, network and organisational process vulnerabilities
- Post-execution covers the assessment of the vulnerabilities found earlier, and their impact
The reason we have included this methodology in our list is that it provides a good discussion on the non-technical examination of the security posture of an organisation.
There are cases where we cannot simulate the target systems realistically enough and running full simulated attacks on the live production’s systems is not an option either, eg in critical infrastructure, medical environments, etc. In those environments, being able to run a non-technical examination is particularly important. This approach is also useful when verifying compliance with required standards and policies.
National Institute of Standard and Technology (2008) NIST SP800-115 [online] available from https://csrc.nist.gov/publications/detail/sp/800-115/final [11 April 2019]
© Coventry University. CC BY-NC 4.0