Security Test and Evaluation (ST&E) is a component of risk assessment. It is useful in discovering system vulnerabilities. For what purposes is ST&E used?
Each correct answer represents a complete solution. Choose all that apply.

A.
To determine the adequacy of security mechanisms, assurances, and other properties to enforce the security policy

B.
To implement the design of system architecture

C.
To assess the degree of consistency between the system documentation and its implementation

D.
To uncover design, implementation, and operational flaws that may allow the violation of security policy

Explanation:

Security Test and Evaluation (ST&E) is a component of risk assessment. It is useful in discovering system vulnerabilities. According to NIST SP 800-42 (Guideline on Network Security Testing), ST&E is used for the following purposes.

* To assess the degree of consistency between the system documentation and its implementation

* To determine the adequacy of security mechanisms, assurances, and other properties to enforce the security policy

* To uncover design, implementation, and operational flaws that may allow the violation of security policy

Answer option B is incorrect. ST&E is not used for the implementation of the system architecture.