This chapter covers management and operational controls pertaining to security process data. Analyzing and reporting test outputs either automated or through manual methods, and conducting or facilitating internal and third party audits are covered in detail.
A candidate appearing for the CISSP exam is expected to understand the foundational concepts and have knowledge in the following key areas of controlling, analyzing, auditing, and reporting security tests from the security assessment and testing domains:
- Management and operational controls on security process data
- Disaster recovery and business continuity
- Analyzing and reporting test outputs
- Internal and third-party security audits
Security controls can be grouped as administrative and technical. The physical verification of an employee badge is a procedural administrative security control. Similarly, an access control system, such as a card reader that automates such a verification, is a technical security control. The function of a security control is based on data.
There are two types of applicable data pertaining to security controls. One is the data that is provided to the control for processing, in other words, the input data to the control. The other is security process data, in other words, the output data. For example, during a vulnerability scan on systems, lots of process data is available. Similarly, monitoring systems, such as intrusion prevention or detection systems, generate process data during control operations.
The input and output data of a security process has to be secured for analysis and establish an audit trail. Besides, such process data may need to be preserved for a longer period of time based on legal and regulatory requirements:
In this module, you will learn the following:
- Understanding the collection of security process data
- Understanding key performance and risk indicators
- Understanding disaster recovery and business continuity
- Getting an overview of automated and manual test results analysis and reporting methods
- Understanding internal and third-party audits and requirements