Page 1114 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1114
Summary
Security assessment and testing programs play a critical role in
ensuring that an organization’s security controls remain effective over
time. Changes in business operations, the technical environment,
security risks, and user behavior may alter the effectiveness of controls
that protect the confidentiality, integrity, and availability of
information assets. Assessment and testing programs monitor those
controls and highlight changes requiring administrator intervention.
Security professionals should carefully design their assessment and
testing program and revise it as business needs change.
Security testing techniques include vulnerability assessments and
software testing. With vulnerability assessments, security
professionals perform a variety of tests to identify misconfigurations
and other security flaws in systems and applications. Network
discovery tests identify systems on the network with open ports.
Network vulnerability scans discover known security flaws on those
systems. Web vulnerability scans probe the operation of web
applications searching for known vulnerabilities.
Software plays a critical role in any security infrastructure because it
handles sensitive information and interacts with critical resources.
Organizations should use a code review process to allow peer
validation of code before moving it to production. Rigorous software
testing programs also include the use of static testing, dynamic testing,
interface testing, and misuse case testing to robustly evaluate software.
Security management processes include log reviews, account
management, backup verification, and tracking of key performance
and risk indicators. These processes help security managers validate
the ongoing effectiveness of the information security program. They
are complemented by formal internal and external audits performed
by third parties on a less frequent basis.
