Page 1074 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1074
jeopardize security
Risk that the system will come under attack
Rate of change of the control configuration
Other changes in the technical environment that may affect the
control performance
Difficulty and time required to perform a control test
Impact of the test on normal business operations
After assessing each of these factors, security teams design and
validate a comprehensive assessment and testing strategy. This
strategy may include frequent automated tests supplemented by
infrequent manual tests. For example, a credit card processing system
may undergo automated vulnerability scanning on a nightly basis with
immediate alerts to administrators when the scan detects a new
vulnerability. The automated scan requires no work from
administrators once it is configured, so it is easy to run quite
frequently. The security team may wish to complement those
automated scans with a manual penetration test performed by an
external consultant for a significant fee. Those tests may occur on an
annual basis to minimize costs and disruption to the business.
Many security testing programs begin on a haphazard
basis, with security professionals simply pointing their fancy new
tools at whatever systems they come across first. Experimentation
with new tools is fine, but security testing programs should be
carefully designed and include rigorous, routine testing of systems
using a risk-prioritized approach.
Of course, it’s not sufficient to simply perform security tests. Security
professionals must also carefully review the results of those tests to
ensure that each test was successful. In some cases, these reviews
consist of manually reading the test output and verifying that the test
completed successfully. Some tests require human interpretation and
must be performed by trained analysts.
