Information technology infrastructure consists of heterogeneous combinations of software, hardware, networking, and communication-related assets. Such a combination is used in design, development, production, and business operations. Risk assessments on IT infrastructure provide an area of risk on the assets and the impact to business that it would have if the assessed risk materializes. However, risk is a function of probability and consequence. Hence, both the probability and consequence of a risk to business needs to be adequately ascertained in order to design suitable security controls. Such controls have to be effective in mitigating the risk. In this context, proper security assessments and test strategies are required to ascertain the suitability of controls to mitigate the assessed risk, and their continued effectiveness if the risk value changes.
Security assessment and test strategies are administrative controls that provide processes and procedures to operate and continually assess the effectiveness of controls. This chapter provides some of the assessment and testing strategies that are recommended in best practices, standards, or are emphasized in regulatory or other frameworks.
Security assessment and testing strategies are based on risk to assets. They play a pivotal role in providing inputs while assessing the risk and the validation of risk mitigation actions. Hence, while designing assessments and tests, and during the validation of such assessment and tests, it is important to consider the risk assessment results and the identified or implemented controls. For example, a two-factor authentication system may be implemented as part of a risk mitigation strategy for password compromises.
A security assessment and test on such a control should include technical tests, such as dictionary-attack simulations, as well as social engineering like phishing or calling techniques to ascertain the control effectiveness. Similarly, a technical vulnerability assessment in an operating system may focus on the identification of such a vulnerability and the effectiveness of administrative controls, such as patch management.
In essence, security assessment is a combination of security tests and the validation of security control effectiveness based on the test results. A security assessment strategy is based on the requirements from the information security policy, generic and domain-specific business requirements, and risk management processes.