Domain 6: Security Assessment and Testing Flashcards
Artifact
A piece of evidence, such as text or a reference to a resource, that is submitted to support a response to a question.
Assessment
The testing or evaluation of the controls in an information system or an organization to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security or privacy requirements for the system or the organization.
Audit/Auditing
The process of reviewing a system for compliance against a standard or baseline. Examples include audits of security controls, configuration baselines, and financial records. Can be formal and independent, or informal using internal staff.
Chaos Engineering
The discipline of experimenting on a software system in production to build confidence in the system’s capability to withstand turbulent and unexpected conditions.
Compliance Calendar
A calendar that tracks an organization’s audits, assessment, required filings, and their due dates and related details.
Compliance Tests
An evaluation that provides assurance an organization’s controls are being applied in accordance with management policies and procedures.
Ethical Penetration Testing, Penetration Testing
A security testing and assessment method in which testers actively attempt to circumvent or defeat the security features of a system. Ethical penetration testing is constrained, typically by contracts, to stay within specified rules of engagement (RoE).
Examination
The process of reviewing, inspecting, observing, studying or analyzing one or more assessment objects (e.g., specifications, mechanisms, activities). The examination method facilitates assessor understanding, achieves clarification, or obtains evidence.
Finding(s)
Assessment results produced by the application of an assessment procedure to a security control or control enhancement to achieve an assessment objective.
Interview(s)
As a systems assessment technique, the process of holding discussions with individuals or groups within an organization to facilitate assessor understanding, achieve clarification, or obtain evidence.
Judgmental Sampling
Also called purposive sampling or authoritative sampling, it is a nonprobability sampling technique in which the sample members are chosen based on the researcher’s knowledge and judgment.
Misuse Case Testing
Testing strategy and technique from the point of view of an actor hostile to the system, using deliberately chosen sets of actions, which could lead to systems integrity failures, malfunctions, or other security or safety compromises.
Plan of Action and Milestones (POA&M)
A document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones for meeting the tasks, and scheduled milestone completion dates.
Rules of Engagement (RoE)
A set of rules, constraints, boundaries, or conditions that establish limits on what participants in an activity may or may not do. Ethical penetration testing, for example, uses RoE to define the scope of the testing to be done and to establish liability limitations for both the testers and the sponsoring organization or systems owners.
Statistical Sampling
The process of selecting subsets of examples from a population with the objective of estimating properties of the total population.
Substantive Test
This testing technique is used by auditors to obtain audit evidence to support auditor opinion.
Testing
The process of exercising one or more assessment objects (e.g., activities or mechanisms) under specified conditions to compare actual with expected behavior.
Trust Services Criteria (TSC)
The criteria used by an auditor when evaluating the suitability of the design and operating effectiveness ofcontrols relevant to the security, availability, or processing integrity of information and systems, or the confidentiality or privacy of the information processed by the entity.
security tests
Security tests verify that a control is functioning properly. These tests
include automated scans, tool-assisted penetration tests, and manual attempts to undermine
security. Security testing should take place on a regular schedule, with attention paid to each
of the key security controls protecting an organization.
security assessments
Comprehensive reviews of the security of a system, application,
or other tested environment. During a security assessment, a trained information security
professional performs a risk assessment that identifies vulnerabilities in the tested environment that may allow a compromise and makes recommendations for remediation, as needed.
security audits
Evaluations performed with the purpose of demonstrating the effectiveness
of controls to a third party. Security audits use many of the same techniques followed during
security assessments but must be performed by independent auditors. The staff members who
design, implement, and monitor controls for an organization have an inherent conflict of
interest when evaluating the effectiveness of those controls.
internal audit
An audit performed by an organization’s internal audit staff and typically
intended for internal audiences.
external audit
An audit performed by an outside auditing firm. These audits have a high
degree of external validity because the auditors performing the assessment theoretically have
no conflict of interest with the organization itself. Aka third-party audit.
third-party audit
An audit conducted by, or on behalf of, another organization, such as a
regulatory authority.
