Information Assurance Services: INFOSEC Evaluation

Evaluation is a detailed review of the organization's information systems, with specific regard to the systems' ability to enforce policy. Evaluation is cooperative in nature, and provides tasks for remediation, as well as medium-term direction on how to use technology to support information security. Evaluation teams are known as "Blue Teams" in military jargon.

NSA is presently working on its methodology for system evaluation. Until that standard is released, Interhack employs its own methodology for evaluating system security, keeping in mind best practices as defined by industry needs, ongoing research, and projects of standards bodies such as National Institute for Standards and Technology (NIST) and the Internet Engineering Task Force (IETF).

Evaluation starts with the definition of scope: which systems are to be included. This nicely fits in with Assessment, as an assessment following IAM will have identified critical systems based on informational criticality in the organization. Once target systems are defined, a standard is created from organizational policy, industry regulation, and best practice. Evaluation then begins, testing for adherence to the standard. An initial report is released to the sponsoring organization, providing it the ability to raise questions or concerns before the completion of the final report.

The final report will include INFOSEC findings, showing where policy cannot be effectively implemented, where policy was not effectively implemented, and generally how closely the systems come to meeting the organization's INFOSEC expectations. Depending on the needs of the client, evaluation can also result in certification and accreditation of systems evaluated.

Key benefits of evaluation include assurance that the systems are enforcing relevant policy, that configurations are having the expected impact, and that weaknesses identified can be ranked for importance and urgency.