There are many different methodologies for implementing and testing security controls in an IT system to ensure that it is operating under an “acceptable level of risk.” Many of these methodologies require the use of software to aid in this measurement. While the execution of technical tools is important, it can sometimes place a financial burden on an organization (especially a small business) that may not have the resources to purchase the software or hire trained personnel to run the tools and conduct an analysis of the results.
This presentation provides an overview of a security testing methodology developed by the Federal Government through the Department of Commerce’s National Institute of Standards and Technology (NIST) Computer Security Division that is available for use by the security community at no cost. The NIST methodology allows an organization to test their security posture by analyzing controls that are listed in 18 different security categories.
1. Be presented a comprehensive security testing approach that limits the need for using automated tools
2. Take away an understanding of National Institute of Standards and Technology (NIST) security controls and learn how to apply them to their information systems
3. Be shown techniques for documenting testing results
4. Be apprised of best practices for conducting security testing of information systems
Tom Hasman, Senior Information Security Analyst, SRA International
Tom is Senior Information Security Analyst on the Information Assurance team for SRA International. Tom specializes in Security Tests & Evaluations in support of the government’s Certification & Accreditation process.
He performs risk assessments and makes recommendations to clients for prioritizing and mitigating vulnerabilities. Tom also develops security policies and procedures for government clients.