This chapter covers tools, methods, and techniques used for identifying and mitigating risks due to architectural and developmental issues in information assets and associated infrastructure, by systematic security assessment and testing. The requirements pertaining to security controls and measures to assess their continued effectiveness are covered in detail here.
A candidate appearing for a CISSP exam is expected to understand the foundational concepts and possess knowledge of the following key areas of the security assessment and testing domain:
- Security assessment and test strategies
- Security control testing
- Designing and validating assessment and test strategies
- Understanding security testing and tools, methods, and techniques
- Understanding the effectiveness of controls
Risk management involves assessment and testing pertaining to security. Controls such as preventive, detective, or corrective measures require appropriate design and implementation. During the design, development, implementation, and operational phases of security controls, assessment and testing need to be performed on periodical basis to ascertain the effectiveness of security controls and their continued suitability for protecting the assets.
Generally, security assessment and testing is carried out on the basis of suitably designed assessment and test strategies. Such strategies include the application of suitable testing tools, methods, and techniques. It is also important that the outcome of the test results provide the data pertaining to the effectiveness of the implemented security control.
Observe the following illustration. IT assets, such as computers, contain operating systems, databases, and applications. They are used in business in day-to-day operations, transaction processing in e-commerce, in universities, and so on. Security issues in such systems could provide unauthorized access or denial of service. Security assessment and testing methods and tools provide the identification of security issues and mitigate them:
In this module, you will understand the following:
- Designing and validating assessment and test strategies
- Security testing and tools, methods, and techniques
- The effectiveness of controls