Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
_______________________________________________________________________
________________________________________
_______________________________________________________________________
________________________________________
PURPOSE
To establish the security testing requirements for DHHS IT and Physical Infrastructure.
POLICY
The DHHS Privacy and Security Office shall develop standards, enterprise-wide
procedures, and guidelines for security testing.
The Division of Information Resources Management (DIRM) working with the DHHS
Privacy and Security Office shall ensure that security testing is performed on all DHHS
systems/applications, the network, and the DHHS Physical Infrastructure.
The DHHS Divisions/Offices shall be notified of any vulnerabilities found during testing
and shall review and implement controls to minimize the risk associated with these
vulnerabilities.
IMPLEMENTATION
1. Developing a Security Test Strategy. The DHHS Privacy & Security Office shall
develop a comprehensive test strategy that tests the security of all physical, network and
IT components.
2. General Security Test and Evaluation (ST&E) Process. The DHHS Privacy & Security
Office shall develop a process that identifies the security test requirements, develops
security test plans and procedures, identifies the proper tools for testing, enables testing,
evaluates the results, and makes recommendations for improvement.
3. Scheduling Security Tests. Security testing shall be integrated into the workflow as a
normal part of the duties of security administrators to evaluate system security
mechanisms and validate that systems are operating properly. The DHHS
Divisions/Offices or their designated affiliate(s) responsible for the administration of the
IT network, LAN and systems, shall work with the DHHS Privacy & Security Office
and/or DIRM to prioritize operational system testing activities according to system
criticality, testing costs, and the benefits that testing will provide. Security testing of all
sensitive and critical information systems shall be performed at least once per year.
Likewise, physical security testing and network security testing shall be performed at
least once per year.