Inclusion of testing directives #6
Description
Author Use Case: As an ISSO shop or governance body, I want to define frequency of verification for framework controls and deployed components.
Consumer Use Case: As a developer of validation mechanisms, such as validation agents, I want a machine-readable specification that enables the system-wide orchestration of validation capabilities, that includes topics such as which controls and components to test, minimum and preferred frequency of tests, which tests to use.
Rationale: The type and frequency of automated testing must be tuned to reflect organizational/industry risk tolerance as well as negative operational impacts associated with performing the compliance checks. It may be sufficient to run some tests weekly or monthly, while other tests should be run daily or hourly. Likewise, public-facing components may need to be better monitored than internal components.
A mechanism must exists for specifying the minimum and target frequency of testing based on control, test type, component type, location and other factors.
Example: While all web servers should be protected by a Web Application Firewall (WAF), an organization may wish to ensure its public-facing web servers have WAF protection every 10 minutes while, but may only wish to check an internal web server's WAF protection once an hour. Likewise, there is more than one way to ensure WAF protection is in place.
Some tests may be less intrusive, but don't tell the whole story, while other tests may be more reliable but have a greater performance impact. The less intrusive test could be used every 10 minutes throughout the day while the more intrusive test could be used primarily during non-peak hours.
An organization needs the ability to specify and tune the testing.
Additional Comments
This issue primarily targets the OSCAL assessment plan model, but involves correlation with SSP (components and inventory), component definitions (validation test scripts/resources), and catalog(s)/profile(s) (applicable controls).