Show/Hide Toolbars

ABCI Consultants

Guidance for NIST 800-171 Assessment & Compliance

Navigation: SA-FAMILY: SYSTEM AND SERVICES ACQUISITION

SA-11(4) DEVELOPER SECURITY TESTING AND EVALUATION  |  MANUAL CODE REVIEWS

Scroll Prev Top Next More

Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

 

 

 

 

 

 

 

 

 

 

 

 

###

sa-11(4)

developer security testing and evaluation  | manual code reviews

 

assessment objective:

Determine if the organization:

sa-11(4)[1]

defines specific code for which the developer of the information system, system component, or information system service is required to perform a manual code review;

sa-11(4)[2]

defines processes, procedures, and/or techniques to be used when the developer performs a manual code review of organization-defined specific code; and

sa-11(4)[3]

requires the developer of the information system, system component, or information system service to perform a manual code review of organization-defined specific code using organization-defined processes, procedures, and/or techniques.

potential assessment methods and objects:

Examine: [select from: System and services acquisition policy; procedures addressing system developer security testing; processes, procedures, and/or techniques for performing manual code reviews; solicitation documentation; acquisition documentation; service-level agreements; acquisition contracts for the information system, system component, or information system service; system developer security testing and evaluation plans; system developer security testing and evaluation results; list of code requiring manual reviews; records of manual code reviews; other relevant documents or records].

Interview: [select from: Organizational personnel with system and services acquisition responsibilities; organizational personnel with information security responsibilities; organizational personnel with developer security testing responsibilities; system developers; independent verification agent].

Test: [select from: Organizational processes for monitoring developer security testing and evaluation; automated mechanisms supporting and/or implementing the monitoring of developer security testing and evaluation].

Hosted by ABCI Consultants for Information Security Management Systems | Implementations, Training and Assessments for Compliance | (800) 644-2056