Developing and Conducting a Security Test and Evaluation

System security is a composition of people, processes, and products. People are system users,

administrators, and managers. Processes represent the operational aspects of the system which are

manual or automated. Products are the physical and intangible attributes such as facilities and the

hardware and software components that make up a system. Generally, each of these groups is subject to

the same security requirements; however, each grouping faces its own unique challenge regarding

consistent compliance with established requirements. People may not know, understand, or follow

security rules. Processes sometimes become antiquated or have flaws in them that expose a system to a

threat. Product implementations are challenged by security patch updates and insecure configurations.

Interaction between these groups forms a basis of productivity within an organization. This interaction

creates a complex situation when each group interacts with another aspect.