InScope Solutions was requested as an independent third party to provide a validation of all the security artifacts that needed to be created as part of newly developed FTC systems. As part of this effort, InScope will audit all controls on Windows and UNIX servers for an internet facing web application.
The STT began scheduling additional tests due to increased numbers of problems found in the applications supporting field representatives conducting telephone surveys. Additionally, the release process for the software deployed to field representatives’ laptops is a manual process and subject to user error. The Bureau required project management and subject matter expertise to streamline testing and release management programs and processes.
Given the short timeframe, InScope was able to provide a team members with a unique blend of security engineering and systems engineering expertise. The team has been able to successfully perform the review while the system is changing as the development is completed.
InScope’s approach to conducting C&A independent verification and validation (IV&V) services is to utilize security professionals that have been exposed to various C&A and IV&V scenarios. To ensure provision of a thorough review of all risk and produce a sound accreditation recommendation, the InScope team worked on four key areas of the IV&V effort including 1) document review and assessment, interviews, physical inspection, and electronic/cyber testing; 2) risk assessment; 3) security test and evaluation; and 4) accreditation.
The team is finishing with the documentation review and is in the process of conducting an electronic review. This project includes many dependencies on external resources to provide information and feedback for review. Despite ongoing delays in obtaining required information and access to systems, the team has managed to quickly and efficiently, ensuring that the project schedule is not delayed.