Page 121 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 121

processes/procedures, and documentation of incidents and responses
               for review.

               Third-Party Audit Having an independent third-party auditor, as

               defined by the American Institute of Certified Public Accountants
               (AICPA), can provide an unbiased review of an entity’s security
               infrastructure, based on Service Organization Control (SOC) (SOC)
               reports. Statement on Standards for Attestation Engagements (SSAE)
               is a regulation that defines how service organizations report on their

               compliance using the various SOC reports. The SSAE 16 version of the
               regulation, effective June 15, 2011, was replaced by SSAE 18 as of May
               1, 2017. The SOC1 and SOC2 auditing frameworks are worth
               considering for the purpose of a security assessment. The SOC1 audit
               focuses on a description of security mechanisms to assess their
               suitability. The SOC2 audit focuses on implemented security controls
               in relation to availability, security, integrity, privacy, and
               confidentiality. For more on SOC audits, see

               https://www.aicpa.org/interestareas/frc/
               assuranceadvisoryservices/socguidesandpublications.html.

               For all acquisitions, establish minimum security requirements. These
               should be modeled from your existing security policy. The security
               requirements for new hardware, software, or services should always
               meet or exceed the security of your existing infrastructure. When

               working with an external service, be sure to review any service-level
               agreement (SLA) to ensure that security is a prescribed component of
               the contracted services. This could include customization of service-
               level requirements for your specific needs.

               Here are some excellent resources related to security integrated with
               acquisition:

                    Improving Cybersecurity and Resilience through Acquisition. Final

                    Report of the Department of Defense and General Services
                    Administration, published November 2013
                    (www.gsa.gov/portal/getMediaData?mediaId=185371)

                    NIST Special Publication 800-64 Revision 2: Security
                    Considerations in the System Development Life Cycle
                    (http://csrc.nist.gov/publications/nistpubs/800-64-Rev2/SP800-
   116   117   118   119   120   121   122   123   124   125   126