NIST 800-42 Evaluation and Frequency Factors

Recommendations of the National Institute of Standards and Technology

This information was found on the NIST 800-42 document pages 57 and 58. You can download the original document NIST-SP800-42.pdf

The table below describes a general schedule and list of evaluation factors for testing categories.

Category 1 systems are those sensitive systems that provide security for the organization or that provide other critical functions. These systems often include

Firewalls, routers, and perimeter defense systems such as for intrusion detection
Public access systems such as web and e-mail servers
DNS and directory servers, and other internal systems that would likely be intruder targets

Category 2 systems are generally all other systems, i.e., those systems that are protected by Category 1 systems like firewalls, etc., but that still must be tested periodically.

Summarized Evaluation and Frequency Factors Table

Test Type	Category 1 Frequency	Category 2 Frequency	Benefit
Network Scanning	Continuously to Quarterly	Semi-Annually	-Enumerates the network structure and determined the set of active hosts, and associated software -Identifies unauthorized hosts connected to a network -Identifies open ports -Identifies unauthorized services
Vulnerability Scanning	Quarterly or bimonthly (more often for certain high risk systems), when the vulnerability database is updated	Semi-Annually	-Enumerates the network structure and determines the set of active hosts, and associated software -Identifies a target set of computers to focus vulnerability analysis -Identifies potential vulnerabilities on the target set -Validates that operating systems and major application are up to date with security patches and software versions
Penetration Testing	Annually	Annually	-Determines how vulnerable an organization's network is to penetration and the level of damage that can be incurred -Tests IT staff's response to perceived security incidents and their knowledge of and implementation of the organization's security policy and system's security requirements
Password Cracking	Continuously to same frequency as expiration policy	Same frequency as expiration policy	-Verifies that the policy is effective in producing passwords that are more or less difficult to break -Verifies that users select passwords that are compliant with the organization's security policy
Log Reviews	Daily for critical systems, e.g., firewalls	Weekly	-Validates that the system is operating according to policies
Integrity Checkers	Monthly and in case of suspected incident	Monthly	-Detects unauthorized file modifications
Virus Detectors	Weekly or as required	Weekly or as required	-Detects and deletes viruses before successful installation on the system
War Dialing	Annually	Annually	-Detects unauthorized modems and prevents unauthorized access to a protected network
War Driving	Continuously to weekly	Semi-Annually	-Detects unauthorized wireless access points and prevents unauthorized access to a protected network