Section 113.121 Attestation of Findings

Question 1

Attestation

Answer 1

Process that involves the formal validation or confirmation provided by an enity that is used to assert the accuracy and authenricity of specific information

■ Crucial in internal and external audits to ensure the reliability and integrity of the following…

● Data
● Systems
● Processes

Question 2

Attestation of Findings in Penetration Testing

Answer 2

Used to prove that a penetration test occurred and validate the findings

■ May be required for compliance or regulatory purposes (e.g., GLBA, HIPAA,
Sarbanes-Oxley, PCI DSS)

■ Includes a summary of findings and evidence of the security assessment
■ Evidence helps to prove that identified vulnerabilities and exploits are valid

Question 3

The difference between attestation and the report

Answer 3

● Attestation includes evidence

● Report focuses on findings and recommended remediation

A letter of attestation may be provided to prove the occurrence of the
penetration testing, especially when required by third parties interested in
network security

Question 4

Types of Attestation

Software Attestation

Answer 4

● Involves validating the integrity of software to ensure it hasn’t been
tampered with

Question 5

Types of Attestation

Hardware Attestation

Answer 5

Validates the integrity of hardware components to confirm they haven’t
been tampered with

Question 6

System Attestation

Answer 6

Validates the security posture of a system, often related to compliance
with security standards

Question 7

Attestation in Audits

Answer 7

■ In internal audits, attestation evaluates organisational compliance, effectiveness of internal controls, and adherence to policies and procedures

■ In external audits, third-party entities provide attestation on financial statements, regulatory compliance, and operational efficiency

■ Attestation builds trust, enhances transparency, ensures accountability, and is essential for stakeholders in making informed decisions