Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

sa-11(3)

developer security testing and evaluation  | independent verification of assessment plans / evidence

assessment objective:

Determine if the organization:

sa-11(3)(a)

sa-11(3)(a)[1]

defines independence criteria that an independent agent is required to satisfy;

sa-11(3)(a)[2]

requires an independent agent satisfying organization-defined independence criteria to verify:

sa-11(3)(a)[2][a]

the correct implementation of the developer security assessment plan;

sa-11(3)(a)[2][b]

the evidence produced during security testing/evaluation;

sa-11(3)(b)

ensures that the independent agent is either:

sa-11(3)(b)[1]

provided with sufficient information to complete the verification process; or

sa-11(3)(b)[2]

granted the authority to obtain such information.

potential assessment methods and objects:

Examine: [select from: System and services acquisition policy; procedures addressing system developer security testing; solicitation documentation; acquisition documentation; service-level agreements; acquisition contracts for the information system, system component, or information system service; independent verification and validation reports; security test and evaluation plans; security test and evaluation results for the information system, system component, or information system service; other relevant documents or records].

Interview: [select from: Organizational personnel with system and services acquisition responsibilities; organizational personnel with information security responsibilities; organizational personnel with developer security testing responsibilities; system developers; independent verification agent].

Test: [select from: Organizational processes for monitoring developer security testing and evaluation; automated mechanisms supporting and/or implementing the monitoring of developer security testing and evaluation].