Definition[edit | edit source]
An information security assessment is
|“||the process of determining how effectively an entity being assessed (e.g., host, system, network, procedure, person mdash; known as the assessment object) meets specific security objectives.||”|
Overview[edit | edit source]
Three types of assessment methods can be used to accomplish this:
- Testing is the process of exercising one or more assessment objects under specified conditions to compare actual and expected behaviors.
- Examination is the process of checking, inspecting, reviewing, observing, studying, or analyzing one or more assessment objects to facilitate understanding, achieve clarification, or obtain evidence.
- Interviewing is the process of conducting discussions with individuals or groups within an organization to facilitate understanding, achieve clarification, or identify the location of evidence.
References[edit | edit source]
- NIST Special Publication 800-115, at ES-1.
Community content is available under CC-BY-SA unless otherwise noted.