The operations and maintenance phase is the years between the implementation and disposition phases, where the information system is providing a useful service to the organization. Testing will be conducted on the information system periodically to ensure that the security of the information system is maintained. The two triggers that will cause the information system to be tested are:

• Scheduled: You will want to conduct a periodic vulnerability assessment and penetration testing on a scheduled basis, depending on your corporate policies.
• Information system changes: Any time that a new change occurs to the information system, you will want to conduct a test to ensure that the information security of the information system is still adequate:
  • Example of a significant change: A new version release of a software package or operating system