Introduction

This chapter discusses the framework of the on-site evaluation phase, where the meat of the technical evaluation occurs. This also means that the majority of surprises are likely to occur during this phase, so flexibility is paramount. One of the objectives of the INFOSEC Evaluation Methodology (IEM) is to verify information regarding systems and controls documented during the INFOSEC Assessment Methodology (IAM). All technical controls are meant to support policy defined by the organization or any industry regulation or legislation.

The IEM has a set of 10 baseline activities that must be addressed to perform a comprehensive technical evaluation. These activities are designed to meet the need for evaluating the most common standard points of attack to a system and test the effectiveness of the security controls in place. Like the IAM, flexibility and the actual detailed execution of these activities is left up to the expertise of the evaluating team.

Part of the flexibility of the IEM also carries over into the requirement for the use of common vulnerabilities and exposures (CVE) identifiers in deliverable reports. CVE identifiers are one industry standard for identifying security weaknesses and are discussed in greater detail later in this chapter. Using these identifiers, we are able to maintain usefulness throughout the IEM process as well as into mitigation aspects, follow-up review, and research for the customer. Since the evaluation team is normally an outside entity, it is important for the customer to have the ability to interpret the deliverables, which may be...