Technical Guide to Information Security Testing and Assessment

Scarfone, Karen; Souppaya, Murugiah; Cody, Amanda; Orebaugh, Angela

doi:https://doi.org/10.6028/NIST.SP.800-115

SP 800-115

Technical Guide to Information Security Testing and Assessment

Documentation Topics

Date Published: September 2008

Supersedes: SP 800-42 (10/15/2003)

Author(s)

Karen Scarfone (NIST), Murugiah Souppaya (NIST), Amanda Cody (BAH), Angela Orebaugh (BAH)

Abstract

The purpose of this document is to assist organizations in planning and conducting technical information security tests and examinations, analyzing findings, and developing mitigation strategies. The guide provides practical recommendations for designing, implementing, and maintaining technical information security test and examination processes and procedures. These can be used for several purposes, such as finding vulnerabilities in a system or network and verifying compliance with a policy or other requirements. The guide is not intended to present a comprehensive information security testing and examination program but rather an overview of key elements of technical security testing and examination, with an emphasis on specific technical techniques, the benefits and limitations of each, and recommendations for their use.

Keywords

Penetration testing; risk assessment; security assessment; security examination; security testing; vulnerability scanning

Control Families

Audit and Accountability; Assessment, Authorization and Monitoring; Risk Assessment; System and Communications Protection; System and Information Integrity; System and Services Acquisition

Documentation

Publication:
SP 800-115 (DOI)
Local Download

Supplemental Material:
SP 800-115 (EPUB) (txt)

Document History:
09/30/08: SP 800-115 (Final)

Topics

Security and Privacy
acquisition; audit & accountability; risk assessment

Applications
communications & wireless