Security Tests Correct Answer-Security tests verify that a control is functioning properly. These
tests include automated scans, tool-assisted
... [Show More] penetration tests, and manual attempts to undermine
security. Security testing should take place on a regular schedule, with attention paid to each of
the key security controls protecting an organization.
Security Assessments Correct Answer-Comprehensive reviews of the security of a system,
application, or other tested environment. During a security assessment, a trained information
security professional performs a risk assessment that identifies vulnerabilities in the tested
environment that may allow a compromise and makes recommendations for remediation, as
needed.
NIST SP 800-53A Correct Answer-Guide for Assessing the Security Controls an privacy
controls in Federal Information Systems
Security Audits Correct Answer-Use many of the same techniques followed during security
assessments but must be performed by independent auditors. Audits are performed with the
purpose of demonstrating the effectiveness of controls to a third party. Auditors provide an
impartial, unbiased view of the organization's security controls.
Internal Audits Correct Answer-Performed by an organization's internal audit staff and are
typically intended for internal audiences.
External Audits Correct Answer-External audits are performed by an outside auditing firm.
These audits have a high degree of external validity because the auditors performing the
assessment theoretically have no conflict of interest with the organization itself. Audits
performed by these firms are generally considered acceptable by most investors and governing
body members.
SAE 18 Correct Answer-The Statement on Standards for Attestation Engagements document 18.
SAE 18, titled Reporting on Controls , provides a common standard to be used by auditors
performing assessments of service organizations with the intent of allowing the organization to
conduct an external assessment instead of multiple third- party assessments and then sharing the
resulting report with customers and potential customers. Outside of the United States, similar
engagements are conducted under the International Standard for Attestation Engagements
(ISAE) 3402, Assurance Reports on Controls at a Service Organization .
Service Organization Controls (SOC) Audits Correct Answer-SSAE 18 and ISAE 3402
engagements are commonly referred to as service organization controls (SOC) audits, and they
come in three forms:
SOC 1 Engagements
SOC 2 Engagements
SOC 3 Engagements
SOC 1 Engagements Correct Answer-Assess the organization's controls that might impact the
accuracy of financial reporting.
SOC 2 Engagements Correct Answer-Assess the organization's that affect the security
(Confidentiality, Integrity, and Availability) and privacy of information stored in a system.
Confidential, and are normally only shared outside the organization under an NDA.
SOC 3 Engagements Correct Answer-Assess the organization's that affect the security
(Confidentiality, Integrity, and Availability) and privacy of information stored in a system. SOC
3 audit results are intended for public disclosure.
Type I Report Correct Answer-Provides the auditor's opinion on the description provided by
management and the suitability of the design of the controls. Usually focuses on a specific point
in time.
Type II Report Correct Answer-Provides the auditor's opinion on the operating effectiveness of
the controls. Covers an extended period of time.
Control Objectives for Information and Related Technology (COBIT) Correct Answer-COBIT
describes the common requirements that organizations should have in place surrounding their
information systems. The COBIT framework is maintained by ISACA.
International Organization for Standardization (ISO) Correct Answer-Publishes a set of standards
for information security.
ISO 27001 Correct Answer-The ISO (International Organization for Standardization) 27001
standard is a code of practice for implementing an information security management system,
against which organizations can be certified.
ISO 27002 Correct Answer-The ISO (International Organization for Standardization) 27002
standard is a code of practice for information security with hundreds of potential controls and
control mechanisms. The standard is intended to provide a guide for the development of
"organizational security standards and effective security management practices and to help build
confidence in inter-organizational activities".
Vulnerabilities Correct Answer-Weaknesses in systems and security controls that might be
exploited by a threat.
Security Content Automation Protocol (SCAP) Correct Answer-A NIST framework that outlines
various accepted practices for automating vulnerability scanning.
Common Vulnerabilities and Exposures (CVE) Correct Answer-Provides a naming system for
describing security vulnerabilities.
Common Vulnerability Scoring System (CVSS) Correct Answer-Provides a standardized scoring
system for describing the severity of security vulnerabilities.
Common Configuration Enumeration (CCE) Correct Answer-Provides a naming system for
system configuration issues.
Common Platform Enumeration (CPE) Correct Answer-Provides a naming system for operating
systems, applications, and devices.
Extensible Configuration Checklist Description Format (XCCDF) Correct Answer-Provides a
language for specifying security checklists.
Open Vulnerability and Assessment Language (OVAL) Correct Answer-Provides a language for
describing security testing procedures.
Network Discovery Scanning Correct Answer-Uses a variety of techniques to scan a range of IP
addresses, searching for systems with open ports. [Show Less]