Guide to Information Security Testing and Assessment

A comprehensive approach to information security testing and assessment is essential to the secure operation of an organization's information technology (IT) systems. By applying technical testing and examination techniques, organizations can identify and assess the vulnerabilities of their systems and networks, and then take steps to improve their overall security. Technology (NIST) recently published a new guide to help organizations conduct their information security assessments. Issued in September 2008, the guide presents the key elements of security testing and assessments, explains the specific techniques that can be applied, and recommends effective methods for implementing testing and assessment practices. NIST SP 800-115 presents the basic technical aspects of conducting information security assessments. It discusses technical testing and examination methods that an organization might use as part of an assessment, and helps organizations to apply the techniques effectively to their systems and networks. The guide stresses the importance of organizational support to the technical assessment process through sound planning, careful analysis of findings, and regular reporting of results and recommendations to management officials. Topics covered in the guide include detailed descriptions of technical examination techniques such as review of documentation, review of logs, network sniffing, and file integrity checking; techniques such as network discovery and vulnerability scanning for identifying targets and analyzing them for potential vulnerabilities; and techniques used to validate the existence of vulnerabilities, such as password cracking and penetration testing.