TABLE OF CONTENTS To give no trust Is to get no trust.
Lao-Tzu (sixth century B.C.)
Once a final C&A package has been submitted, the evaluation team begins the review process. The person or team of people who evaluate the C&A package should not be the same person or group of people who prepared it. Something that the OIG and GAO will be looking for are instances of the fox guarding the hen house. There needs to be a separation of duties between the folks who prepare the C&A documents and the folks who evaluate them.
The Security Assessment Report (SAR) is a document that is put together by the evaluation team after they have gone through the C&A package with a fine-toothed comb. The Security Assessment Report should indicate what audit checks were performed, what passed and what failed, and what the final summary list of vulnerabilities are that the evaluation team found.
The vulnerabilities cited in the SAR may or may not match the vulnerabilities that the C&A preparation team included in the Business Risk Assessment or the S ystem Risk Assessment. It s possible that the evaluation team may not agree with the vulnerabilities presented to them by the C&A package documents. Or they may agree with the vulnerabilities, but decide to change the risk exposure rating. They may also add on altogether new vulnerabilities based on their findings after performing their compliance audit.
Aside from vulnerabilities, the SAR should include a...
