2 cissp ® Official Study Guide Eighth Edition

690
Chapter 15 
■
Security Assessment and Testing
Key Performance and Risk Indicators
Security managers should also monitor key performance and risk indicators on an ongoing 
basis. The exact metrics they monitor will vary from organization to organization but may 
include the following:
■
Number of open vulnerabilities
■
Time to resolve vulnerabilities
■
Vulnerability/defect recurrence
■
Number of compromised accounts
■
Number of software flaws detected in preproduction scanning
■
Repeat audit findings
■
User attempts to visit known malicious sites
Once an organization identifies the key security metrics it wishes to track, managers 
may want to develop a dashboard that clearly displays the values of these metrics over time 
and display it where both managers and the security team will regularly see it.
Summary
Security assessment and testing programs play a critical role in ensuring that an organiza-
tion’s security controls remain effective over time. Changes in business operations, the tech-
nical environment, security risks, and user behavior may alter the effectiveness of controls 
that protect the confidentiality, integrity, and availability of information assets. Assessment 
and testing programs monitor those controls and highlight changes requiring administra-
tor intervention. Security professionals should carefully design their assessment and testing 
program and revise it as business needs change.
Security testing techniques include vulnerability assessments and software testing. With 
vulnerability assessments, security professionals perform a variety of tests to identify mis-
configurations and other security flaws in systems and applications. Network discovery 
tests identify systems on the network with open ports. Network vulnerability scans dis-
cover known security flaws on those systems. Web vulnerability scans probe the operation 
of web applications searching for known vulnerabilities.
Software plays a critical role in any security infrastructure because it handles sensitive 
information and interacts with critical resources. Organizations should use a code review 
process to allow peer validation of code before moving it to production. Rigorous software 
testing programs also include the use of static testing, dynamic testing, interface testing, 
and misuse case testing to robustly evaluate software.
Security management processes include log reviews, account management, backup veri-
fication, and tracking of key performance and risk indicators. These processes help security 
managers validate the ongoing effectiveness of the information security program. They are 
complemented by formal internal and external audits performed by third parties on a less 
frequent basis.

Exam Essentials 

Download 19,3 Mb.

Do'stlaringiz bilan baham: