Where should you look for guidance to establish an information security testing program?

To establish an information security testing program, NIST SP 800-115 is the most appropriate resource to consult. This publication specifically provides a comprehensive framework for the technical testing of security controls in information systems. It outlines methodologies for conducting security testing, such as vulnerability assessments and penetration testing, offering detailed guidance on how to plan, execute, and manage a security testing program effectively.

NIST SP 800-115 emphasizes the importance of testing as part of an organization's overall security strategy and includes best practices, key considerations, and recommended approaches tailored to different types of testing scenarios. By following the guidance provided in this document, organizations can ensure that their information security measures are robust, effective, and in alignment with accepted industry standards.

In contrast, while the other options are valuable resources, they serve different purposes. For instance, CMM (Capability Maturity Model) focuses on process improvement rather than specific security testing. NIST SP 800-30 primarily deals with risk management processes and risk assessments, which are essential but not directly related to conducting security tests. Similarly, DoD 8500.1 pertains to the overall information assurance framework for the Department of Defense, which encompasses broader security policies rather than specific testing methodologies.