Information Collection—thorough research that must be performed against the target system/application before any meaningful assessment can be conducted. Data gathered is analyzed as the assessment proceeds and when the assessment is complete.
Enumeration—activities that provide specific information about assessment targets. This information is often collected using appropriate software tools.
Testing and Review—activities that typically involve the automated testing of security vulnerabilities via software tools, manual analysis, and the evaluation of particular aspects of the organization’s security policies and practices by the . The ’s goal is to apply experience and insight, in order to determine whether the system adequately implements security controls defined by CMS policies and standards.>
