2 cissp ® Official Study Guide Eighth Edition

Building a Security Assessment and Testing Program 
663
security controls protecting an organization. When scheduling security controls for review, 
information security managers should consider the following factors: 
■
Availability of security testing resources 
■
Criticality of the systems and applications protected by the tested controls 
■
Sensitivity of information contained on tested systems and applications 
■
Likelihood of a technical failure of the mechanism implementing the control 
■
Likelihood of a misconfiguration of the control that would jeopardize security 
■
Risk that the system will come under attack 
■
Rate of change of the control configuration 
■
Other changes in the technical environment that may affect the control performance 
■
Difficulty and time required to perform a control test 
■
Impact of the test on normal business operations
After assessing each of these factors, security teams design and validate a comprehen-
sive assessment and testing strategy. This strategy may include frequent automated tests 
supplemented by infrequent manual tests. For example, a credit card processing system 
may undergo automated vulnerability scanning on a nightly basis with immediate alerts 
to administrators when the scan detects a new vulnerability. The automated scan requires 
no work from administrators once it is confi gured, so it is easy to run quite frequently. The 
security team may wish to complement those automated scans with a manual penetration 
test performed by an external consultant for a signifi cant fee. Those tests may occur on an 
annual basis to minimize costs and disruption to the business. 
Many security testing programs begin on a haphazard basis, with security 
professionals simply pointing their fancy new tools at whatever systems 
they come across first. Experimentation with new tools is fine, but security 
testing programs should be carefully designed and include rigorous, rou-
tine testing of systems using a risk-prioritized approach.
Of course, it’s not suffi cient to simply perform security tests. Security professionals must 
also carefully review the results of those tests to ensure that each test was successful. In 
some cases, these reviews consist of manually reading the test output and verifying that 
the test completed successfully. Some tests require human interpretation and must be per-
formed by trained analysts. 
Other reviews may be automated, performed by security testing tools that verify the suc-
cessful completion of a test, log the results, and remain silent unless there is a signifi cant 
fi nding. When the system detects an issue requiring administrator attention, it may trigger 
an alert, send an email or text message, or automatically open a trouble ticket, depending 
on the severity of the alert and the administrator’s preference.

Download 19,3 Mb.

Do'stlaringiz bilan baham: