This chapter discusses the framework of the onsite evaluation phase, where the meat of the technical evaluations occurs. This also means that the majority of surprises are likely to occur during this phase, so flexibility is paramount. One of the objectives of the INFOSEC Evaluation Methodology (IEM) is to verify information regarding systems and controls documented during the INFOSEC Assessment Methodology (IAM). All technical controls are meant to support policy defined by the ...