Building a Security Assessment and Testing

               Program


               The cornerstone maintenance activity for an information security team
               is their security assessment and testing program. This program

               includes tests, assessments, and audits that regularly verify that an
               organization has adequate security controls and that those security
               controls are functioning properly and effectively safeguarding
               information assets.

               In this section, you will learn about the three major components of a
               security assessment program:

                    Security tests

                    Security assessments

                    Security audits



               Security Testing

               Security tests verify that a control is functioning properly. These tests
               include automated scans, tool-assisted penetration tests, and manual
               attempts to undermine security. Security testing should take place on

               a regular schedule, with attention paid to each of the key security
               controls protecting an organization. When scheduling security
               controls for review, information security managers should consider
               the following factors:

                    Availability of security testing resources

                    Criticality of the systems and applications protected by the tested
                    controls

                    Sensitivity of information contained on tested systems and

                    applications

                    Likelihood of a technical failure of the mechanism implementing
                    the control

                    Likelihood of a misconfiguration of the control that would