6.1 Key Concepts Design and validate assessment, test, and audit strategies Flashcards
Domain 6 (26 cards)
is an evaluation of an organization’s security posture, aimed at identifying vulnerabilities, threats, and risks to the organization’s information assets.
security assessment
is a systematic evaluation of an organization’s information system security against a set of established criteria or standards. Generally, it must be conducted by
independent (usually external)
security audit
Regular evaluations conducted by departments or teams to assess
their own security practices.
– Often used as a preliminary step before more formal assessments.
– Can help foster a culture of security awareness.
Self-assessments
Formal examinations of security controls and processes by the organization’s
internal audit team.
– They provide a deeper understanding of the organization’s current security posture
from an insider’s perspective.
– Help ensure compliance with internal policies and external regulations.
Internal audits
Systematic reviews of security weaknesses in systems and
applications.
– Often automated using vulnerability scanning tools.
– Should be conducted regularly to identify new vulnerabilities.
Vulnerability assessments
Simulated attacks on systems to identify exploitable vulnerabilities.
– Can be conducted by an internal “red team” or specialized security personnel.
– Provides valuable insights into real-world attack scenarios and validating efficacy of
existing security controls.
Penetration testing
Developing and tracking key performance indicators
(KPIs) for security.
– Helps quantify the effectiveness of security controls.
– Supports data-driven decision-making for security investments.
Security metrics and reporting
Simulated attacks conducted by specialized security firms.
– Offers an outside perspective on the organization’s security defenses.
– Can identify vulnerabilities that may be overlooked internally.
External penetration testing
Comprehensive reviews of an organization’s
security program by external experts.
– Can provide valuable insights and recommendations based on industry best practices.
– Often used to benchmark against industry standards or prepare for certifications.
Security assessments by consultants
Assessments specifically focused on adherence to
regulatory requirements.
– Examples include HIPAA audits for healthcare organizations or PCI DSS assessments
for companies handling payment card data.
Compliance audit or assessment
Evaluations of the security practices of third-party
vendors or service providers.
– Critical for managing supply chain risks.
– May involve questionnaires, on-site visits, or review of vendor’s security certifications
Vendor security assessments
are controlled by an external organization. This could be a regulatory body,
a customer, or another entity. The auditors are selected by the initiating organization (often
a regulatory body or customer), and the organization being audited has little control over
the process. are often conducted for regulatory compliance or contractual
obligations.
Third-party audits
To reduce the burden of multiple audits for organizations with large numbers of clients, like
public cloud service providers (CSPs), standards. were developed by the American Institute of Certified Public Accountants
(AICPA).
Statement on Standards for Attestation
Engagements (SSAE) 18
Statement on Standards for Attestation Engagements (SSAE) audits
System and Organization Controls (SOC) audits
Assesses controls impacting financial reporting accuracy
SOC 1
Evaluates security and privacy controls. Results are confidential. Typically, the
organization audited requires customers to sign an NDA to receive a copy.
SOC 2
Similar to SOC 2, but results are for public disclosure
SOC 3
Auditor’s opinion on management’s control description and design suitability at a specific point in time.
Type I of SOC 2 Report
Includes Type I content plus assessment of control effectiveness over an extended period, usually six months or longer. are considered more reliable as they involve actual testing of
controls.
Type II SOC 2 Report
- Security: Ensures that the service organization has implemented appropriate measures to
protect the security of systems, data, and networks. - Availability: Ensures that the service organization has implemented appropriate measures
to ensure the availability of systems, data, and networks. - Processing Integrity: Ensures that the service organization has implemented appropriate
measures to ensure that data is processed accurately and completely. - Confidentiality: Ensures that the service organization has implemented appropriate
measures to protect the confidentiality of data. - Privacy: Ensures that the service organization has implemented appropriate measures to
protect the privacy of personal information.
SOC 2 Five Trust Principles
- Physical Access. Auditors typically need physical access to hardware, network devices,
and data centers for inspection, configuration reviews, and testing. - Control and Visibility. The organization retains greater control over its infrastructure thus
auditors have more direct visibility into security configurations. - Scope. Audits may be focused on traditional IT infrastructure, including network security,
operating systems, physical safeguards, etc.
On-premises. Challenges and considerations
- Shared Responsibility. Security is a shared responsibility between the organization
and the cloud provider. Audit focus shifts towards how the organization uses the cloud
services. - Documentation and APIs. Auditors rely heavily on cloud provider documentation, service
configurations, and access to relevant APIs for gathering evidence. - Compliance Focus. Emphasis is often on meeting cloud-specific security standards (e.g.,
SOC 2, ISO 27001, FedRAMP) and the organization’s configuration of cloud services.
Cloud. Challenges, considerations
- Increased Complexity. Hybrid environments present the greatest complexity due to the
mix of on-premises and cloud components that need auditing. - Data Flows. Understanding how data moves between on-premises and cloud environments
is crucial for risk assessment. - Integrated Controls. Auditors must evaluate the effectiveness of security controls across
the entire hybrid landscape.
Hybrid cloud challenges
refers to a customer’s contractual right to directly
assess a service provider’s security, compliance, and operational practices. This is especially
important for highly regulated industries, where regulations may require direct audits to
ensure the secure storage and handling of sensitive data.
Right-to-Audit
