Chapter 15: Security Assessment and Testing Flashcards
_____ assessment and testing programs perform regular checks to ensure that adequate security controls are in place and that they effectively perform their assigned functions.
Security
Security ___ verify that a control is functioning properly. These tests include automated scans, tool-assisted penetration tests, and manual attempts to undermine security.
tests
Security ____ are comprehensive reviews of the security of a system, application, or other tested environment. They also include a thoughtful review of the threat environment, current and future risks, and the value of the targeted environment.
assessments
Security ____ use many of the same techniques followed during security assessments but must be performed by independent auditors.
audits
_____ audits are performed by an organization’s internal audit staff and are typically intended for internal audiences.
Internal
______ audits are performed by an outside auditing firm.
External
______ audits are conducted by, or on behalf of, another organization. For example, a regulatory body might have the authority to initiate an audit of a regulated firm under contract or law.
Third-party
SOC ____ Engagements Assess the organization’s controls that might impact the accuracy of financial reporting.
1
SOC __ Engagements Assess the organization’s controls that affect the security (confidentiality, integrity, and availability) and privacy of information stored in a system.
2
SOC __ Engagements Assess the organization’s controls that affect the security (confidentiality, integrity, and availability) and privacy of information stored in a system.
3
Type __ Reports These reports provide the auditor’s opinion on the description provided by management and the suitability of the design of the controls.
I
Type __ Reports These reports go further and also provide the auditor’s opinion on the operating effectiveness of the controls.
II
_____ scans and penetration tests provide security professionals with a perspective on the weaknesses in a system or application’s technical controls by identifying technical vulnerabilities that they contain.
Vulnerability
The security community depends on a common set of standards to provide a common language for describing and evaluating vulnerabilities. NIST provides the community with the ____ to meet this need.
Security Content Automation Protocol (SCAP)
____ provides a naming system for describing security vulnerabilities.
Common Vulnerabilities and Exposures (CVE)
______ provides a standardized scoring system for describing the severity of security vulnerabilities.
Common Vulnerability Scoring System (CVSS)
____ provides a naming system for system configuration issues.
Common Configuration Enumeration (CCE)
_____ provides a naming system for operating systems, applications, and devices.
Common Platform Enumeration (CPE)