Page 1075 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1075
Other reviews may be automated, performed by security testing tools
that verify the successful completion of a test, log the results, and
remain silent unless there is a significant finding. When the system
detects an issue requiring administrator attention, it may trigger an
alert, send an email or text message, or automatically open a trouble
ticket, depending on the severity of the alert and the administrator’s
preference.
Security Assessments
Security assessments are comprehensive reviews of the security of a
system, application, or other tested environment. During a security
assessment, a trained information security professional performs a
risk assessment that identifies vulnerabilities in the tested
environment that may allow a compromise and makes
recommendations for remediation, as needed.
Security assessments normally include the use of security testing tools
but go beyond automated scanning and manual penetration tests.
They also include a thoughtful review of the threat environment,
current and future risks, and the value of the targeted environment.
The main work product of a security assessment is normally an
assessment report addressed to management that contains the results
of the assessment in nontechnical language and concludes with
specific recommendations for improving the security of the tested
environment.
Assessments may be conducted by an internal team, or they may be
outsourced to a third-party assessment team with specific expertise in
the areas being assessed.
NIST SP 800-53A
The National Institute for Standards and Technology (NIST) offers
a special publication that describes best practices in conducting
security and privacy assessments. NIST Special Publication 800-
53A: Assessing Security and Privacy Controls in Federal
Information Systems and Organizations is available for download:
