By the end of this course you will be able to
- Distinguish assessment, testing and audit, and choose formal vs informal, internal vs external vs third-party.
- Select frameworks and standards (NIST RMF, CSF, ISO 27000, SOC/SSAE 18, PCI DSS).
- Run a vulnerability assessment and ethical penetration testing (RoE, box testing, red/blue/purple).
- Pick the right software test technique: SAST/DAST, misuse case, negative, coverage, interface.
- Collect process data: account management, KPI/KRI, backups, SETA, BC/DR tests.
- Manage remediation, exceptions and ethical disclosure; read a SOC report.
Prerequisites : Domain 1 (risk management, due care/due diligence, governance), Domain 5 (IAM, accounts, AAA) and Domain 8 notions (SDLC) help. No advanced technical prerequisite.
Suggested path
Suggested path: 4 sessions of 3 to 4 hours over 2 to 3 weeks. Redo the checkpoints before moving on, then the full quiz (150+ Q) as a final review.
-
Session 1 - Strategies and methods
MODULE 1 · MODULE 2
Assessment/audit/testing, SOC, methods, logs, sampling.
-
Session 2 - Offensive and software testing
MODULE 3 · MODULE 4
Vulnerability assessment, pentest, SAST/DAST, coverage, interface.
-
Session 3 - Process data
MODULE 5 · MODULE 6
Account management, KPI/KRI, backups, SETA, BC/DR tests.
-
Session 4 - Analysis and audits
MODULE 7 · MODULE 8
Remediation, PDCA, ethical disclosure, internal/external/third-party audits, SOC.
Assessment, test and audit strategies
Prerequisites : Risk and compliance notions from Domain 1.
Before testing anything, the organisation needs a formal strategy to evaluate its control environment. This module sets the vocabulary (assessment, audit, test, finding), the types (formal/informal), the perspectives (internal/external) and the standards that structure practice, including the SOC report family.
1.1 Assessment, audit, testing: three words, three realities
Assessment vocabulary is confusing because different professions use close terms. Three notions must be crisp.
An assessment is a broad evaluation of controls against management expectations. Its scope, schedule and reporting are set by management; it often precedes an audit to spot and fix weaknesses.
An audit is a structured review of information, observations and data to measure compliance with a defined standard. The evidence examined is called artifacts (log, policy, interview result). A formal audit requires independent evaluators, outside the management chain responsible for the system: this independence ensures no undue influence skews judgment.
Testing compares the actual behaviour of a system, process or activity, under defined conditions, with its expected behaviour. Testing is a building block that can serve an assessment or an audit, but can also stand alone as security monitoring. Key point: expected performance must be defined BEFORE testing, otherwise you cannot conclude.
Finally, an evaluation is formal (against a legal, regulatory or contractual standard, by independents) or informal (to gather observations and insight, not directly for compliance). Informal often gives management a preview of what a formal audit would reveal.
- Assessment = broad, management-driven; Audit = formal vs a standard, independent; Testing = execution, reusable block.
- Independence is the central requirement of a credible audit.
- Define the expected before testing, otherwise no conclusion is possible.
- Formal = compliance vs a standard; informal = observations with no direct aim.
1.2 Anatomy of a finding and testing perspectives
An audit result is delivered as findings, compiled into a report given to the chartering organisation. A typical finding has five elements: Condition (what the audit observed), Criteria (the measuring standard), Cause (why the gap exists), Effect (the gap and its significance) and Recommendation (the corrective action). A finding's accuracy depends on artifact integrity: they must reflect the true state of the control against its objective.
Testing follows an internal or external perspective. Internal testing assumes the identity of a trusted insider or an attacker who has already crossed the perimeter (see NIST SP 800-115); it covers application configuration, authentication, access control and hardening, and may include privilege escalation. Insider threats remain a major source of compromise. External testing takes the view of an untrusted individual outside the perimeter, to find weaknesses exploitable from outside.
Practical rule: if both external AND internal are planned, run external first, because the information available to internal testing is generally richer. The internal/external distinction blurs with zero trust and deperimeterization, which apply controls based only on the privileges needed for a task.
- Finding = Condition + Criteria + Cause + Effect + Recommendation.
- Internal test = insider; external test = untrusted outsider.
- If both: external first (internal has more info available).
- Zero trust and deperimeterization blur the internal/external line.
1.3 Assessment standards and frameworks
Standards and frameworks form a virtuous circle with laws and market expectations: all incentivise good practice. Several anchors structure security evaluation.
NIST Risk Management Framework (RMF, SP 800-37 Rev. 2) is the reference for US federal agencies and many of their contractors. Two useful companions: SP 800-53 Rev. 5 (security and privacy controls) and SP 800-171 (protecting controlled unclassified information at non-federal entities).
NIST Cybersecurity Framework (CSF) offers a voluntary, risk-driven maturity model, simpler and incremental; it emphasises detecting an incident. ISO 27000 serves as an audit framework to evaluate an ISMS and is widely adopted outside the United States.
Finally, the AICPA control-evaluation framework, known through its SOC reports, evaluates an organisation against the Trust Services Criteria. Beyond that, many organisations fall under several sector frameworks at once: PCI DSS (cards), IEC 62443 (industrial control), Cyber Essentials (UK), NERC CIP (US critical infrastructure), CSA STAR (cloud), SWIFT CSCF (finance). The UK NCSC also proposes 12 supply chain security principles (understand the risks, establish control, check, continuous improvement).
- RMF (800-37) + 800-53 (controls) + 800-171 (non-federal CUI).
- CSF = voluntary, maturity, detection emphasis.
- ISO 27000 = ISMS audit, strong outside the US.
- Sector: PCI DSS, IEC 62443, NERC CIP, CSA STAR, SWIFT, Cyber Essentials.
- NCSC: 12 supply chain security principles.
1.4 SOC reports: 1, 2, 3 and Cybersecurity
The SOC (Service Organization Control) framework, defined by SSAE 18 (partly updated by SSAE 20), lets a provider attest to its controls for its clients. Four reports, not to be confused.
SOC 1 attests to internal controls over financial reporting (ICFR). It cannot cover disaster recovery or privacy.
SOC 2 (also called the Trust Services Criteria report) evaluates security controls against five criteria: Security, Availability, Processing Integrity, Confidentiality, Privacy (memo CIANA+P). It is confidential and may cover only a subset of the criteria depending on the provider's needs.
SOC 3 gives a public, less technical summary of a SOC 2: a releasable showcase, often on the provider's website.
SOC for Cybersecurity specifically targets the cybersecurity programme (plans, processes, services) based on the 2017 TSC.
Two types apply to SOC 1 and SOC 2. Type I evaluates the design (suitability of design) of controls at a point in time: an expression of due care. Type II additionally evaluates the operating effectiveness of controls over a period (usually 6 to 12 months): the expression of due diligence. SOC 2 Type II is generally preferred, and it is the report to request from a third-party provider integral to operations. SOC 3 and SOC for Cybersecurity are single-type.
- SOC 1 = finance (ICFR); SOC 2 = security (TSC, confidential); SOC 3 = public summary.
- SOC 1 covers neither DR nor privacy.
- Type I = design (point in time, due care); Type II = effectiveness (period, due diligence).
- For a critical third party: request a SOC 2 Type II.
- TSC = Security, Availability, Processing Integrity, Confidentiality, Privacy.
1.5 Trust Services Criteria and attestation standards
The Trust Services Criteria (TSC) are the criteria an auditor uses to evaluate the suitability of design and operating effectiveness of controls relevant to security, availability, processing integrity, confidentiality and privacy. Developed by AICPA and CICA, they were realigned in 2017 with the 17 principles of the COSO framework. Security is the mandatory common criterion; the others are added per the provider's needs.
On attestation standards, AICPA issues the SSAEs, compliance standards that certified auditors apply when an organisation engages them to attest to its controls. The old SAS 70 (Type I and Type II) was replaced by SSAE 16 then SSAE 18, drawing on the international ISAE 3402. An SSAE 18 / ISAE 3402 report typically has five sections: the auditor's opinion, the organisation's written attestation, the description of controls and objectives, the tests of operating effectiveness, and additional information.
Lesson of SAS 70: it was designed for ICFR, but many repurposed it for security, availability and privacy needs. SOC reports now clarify usage. Finally, evidence collection (field work) can happen on site or remotely, on on-premises, cloud or hybrid assets; the cloud shared responsibility model helps determine who owns which control.
- TSC aligned with the 17 COSO principles (2017); Security is mandatory.
- SAS 70 -> SSAE 16 -> SSAE 18; ISAE 3402 = international counterpart.
- An SSAE 18 report has 5 sections (opinion, assertion, controls, tests, extras).
- SAS 70 misused: designed for ICFR, wrongly used for security.
- Cloud: the shared responsibility model sets who owns each control.
Case studies
Internal, external and third-party: how to prioritise?
Context : At Bank UYT, the CISO asks Prakash to spell out the considerations for designing internal testing, external testing and third-party assessor engagement strategies, given a range of financial services.
Question : How should each assessment type be prioritised by the criticality of different systems and services? (6.1.1-3)
Show analysis and answer
Prioritisation follows risk. The most critical systems (payments, regulated customer data) warrant the highest assurance: external testing first (attacker view), then internal testing (insider view, richer in information), and an independent third-party report (e.g. SOC 2 Type II) for providers integral to operations. Less sensitive systems can rely on more frequent, less formal internal assessments. Independence grows with criticality and compliance stakes: a credible audit needs evaluators outside the system's management chain.
Takeaway : Prioritise by risk; reserve maximum independence (third party, SOC 2 Type II) for the most critical systems and providers.
- External first, then internal (internal has more info).
- The more critical the system, the stronger the independence required.
- SOC 2 Type II = evidence of a third party's control effectiveness.
Which standards for a bank?
Context : The CISO asks Prakash to review updates to applicable frameworks to inform Bank UYT's internal and external testing strategies.
Question : Name at least two relevant assessment standards or frameworks and how to implement them given the bank's services. (6.1.1-4)
Show analysis and answer
A bank typically falls under several frameworks: PCI DSS for payment cards (annual audit, cardholder data scope), SOC 2 to reassure clients and partners on security controls, NIST RMF or CSF to structure maturity, ISO 27000 for the ISMS. Add ISAE 3000 (international audit) and the SWIFT Customer Security Controls Framework for international transactions. Implementation means mapping obligations, scheduling audits in a compliance calendar, and selecting the framework that fits the business process, without mistaking it for a mere checklist.
Takeaway : An organisation under several frameworks schedules audits in a compliance calendar; a framework aids analysis, it is not a magic checklist.
Assessment vs audit: formality
The primary difference is the degree of formality. The assessment is a broader, less formal evaluation (measures risk likelihood, process quality). The audit is a structured, formal process, systematically analysing an object vs predefined criteria. Both can target the same assets.
SOC 1 vs SOC 2 vs SOC 3
SOC 1 = financial reporting (ICFR). SOC 2 = security controls via the Trust Services Criteria, confidential. SOC 3 = public summary of a SOC 2. Classic trap: tying SOC 2 to finance. And SOC 1 cannot cover disaster recovery or privacy.
Type I vs Type II
Type I = control design at a point in time (suitability of design), an expression of due care. Type II = operating effectiveness over a period (often 6 to 12 months), the expression of due diligence. To evaluate a provider over time, require a Type II.
Checkpoint — Knowledge check
-
What is the primary distinction between an assessment and an audit?
- A The level of formality involved in the process
- B The assets targeted for evaluation
- C The likelihood of a specific risk
- D The quality of process documentation
Answer & rationale
Answer : A — The level of formality involved in the process
Assessment and audit are close, but the audit is more structured and formal (systematic analysis vs criteria). Both can target the same assets and evaluate risk likelihood or documentation quality.
-
A cloud provider integral to your operations must prove the effectiveness of its security controls over time. Which report do you request?
- A SOC 2 Type II
- B SOC 1 Type I
- C SOC 3
- D SOC 1 Type II
Answer & rationale
Answer : A — SOC 2 Type II
SOC 2 targets security controls (TSC); Type II evaluates operating effectiveness over a period. SOC 1 concerns financial reporting (ICFR). SOC 3 is only a public summary.
Key takeaways
- Assessment (broad, management), audit (formal, independent), testing (execution).
- Finding = Condition, Criteria, Cause, Effect, Recommendation.
- External before internal; zero trust blurs the line.
- SOC 1 finance, SOC 2 security (confidential), SOC 3 public; Type I design, Type II effectiveness.
Methods and artifacts: examination, interview, logs, sampling
Prerequisites : Module 1 (assessment, audit, testing).
Evaluating a control rests on three complementary methods: testing, examination and interview. This module details how to scope an evaluation (assessment policy, tailoring, sampling), then focuses on two central tools: log review and the compliance test vs substantive test distinction.
2.1 Three methods: testing, examination, interview
Evaluating a control is done by any combination of testing, examination and interview; modelling, simulation and analysis may be added. Each method measures a system's compliance with its requirements and specifications. Proper method selection drives the level of assurance.
Examination means reviewing, inspecting, observing or analysing an assessment object (specifications, mechanisms, activities). An administrative control like a policy is checked by reading the document; a business process is observed (running backups, wearing a badge). Examination does not require the assessor to direct the operation or interact with stakeholders. Reviewing real performance documentation (access registers, transactions, logs) is one of the most valuable tools.
Interview identifies the frequent gap between the documented process and actual practice. Interview subjects are defined during chartering and named in the pre-audit checklist; depth and breadth must be clarified. Interview documentation (questionnaires, recordings with consent, notes) must be secured per its classification.
Testing compares actual behaviour to expected behaviour under defined conditions. Once confined to development, it now serves throughout a system's operational life. A complete control may require several methods: a mere examination is not always enough, and additional tests or interviews may be needed. The organisation must establish the assessor's need to know, without granting unlimited out-of-scope access.
- Three combinable methods: testing, examination, interview.
- Examination = read/observe without directing; interview = close the doc vs practice gap.
- A complete control may need several methods.
- Establish the assessor's need to know (no unlimited access).
2.2 Scoping and sampling the evaluation
Assessment activities are planned by the security assessment policy, which sets the rules for planning, conduct and reporting. Management provides high-level direction: identify how the context has changed since the last assessment, along three key elements - the threat landscape, business logic and compliance regime. This yields a focused, down-selected set of assessments to run (tailoring).
The assessment is then tailored to the control assessed, by its type, intended depth and the specifics of the compliance requirement. Since you can rarely examine everything, you rely on a sample. Statistical sampling uses the laws of probability to infer a control's performance over the whole population. Judgmental sampling (also purposive or authoritative) relies on the assessor's expertise to choose systems or events, prioritising those that present the greatest risk.
The organisation cannot ignore its confidentiality, integrity and availability obligations during the assessment: convenient as unlimited assessor access may be, that privilege may exceed scope.
- Tailoring refreshes threat landscape, business logic, compliance.
- Statistical = probability; judgmental = judgment, prioritises risk.
- We sample because we cannot examine everything.
- Respect CIA and scope during the assessment.
2.3 Log reviews
All major frameworks stress logging practice. ISO 27001:2013 control 12.4.1 requires event logs (user activities, exceptions, faults, security events) to be produced, kept and regularly reviewed. NIST SP 800-92 (Guide to Computer Security Log Management) treats log review as a component of log management. Review serves not only security assessment, but also the identification of incidents, policy violations, fraud and operational problems near the time of occurrence. Reviewing historic audit logs can determine whether an identified vulnerability has already been exploited.
Several regulations mandate diligent reviews: GLBA (protecting financial institutions' customer data), HIPAA (regular audit log reviews, 6-year retention), SOX (regular log review to spot violations), PCI DSS (track all access to network resources and cardholder data).
Log management follows four key practices: prioritise log management across the organisation; establish policies and procedures; create and maintain a secure log management infrastructure (a SIEM helps with storage and analysis, able to absorb peaks during an incident, pentest or scan); provide adequate support (training, tools) to staff. Log security (ISO 12.4.2) protects against tampering and unauthorised access; logs can contain sensitive data (passwords, email content) and must be protected for confidentiality and integrity, with compliant retention. Rootkits often aim to alter logs to erase their traces.
- GLBA, HIPAA, SOX, PCI DSS all mandate log reviews (they all do).
- NIST SP 800-92 = log management reference; ISO 12.4.1 / 12.4.2.
- A SIEM absorbs peaks (incident, pentest, scan).
- Secure logs: tampering, access, retention; rootkits target them.
2.4 Compliance test vs substantive test
Tests fall into two families. The compliance test determines, in the assessor's opinion, whether the control exists and operates correctly. Example: compare a sample of employees entitled to access a system with the list of named users; the expected result is that the two lists match.
The substantive test evaluates the proper operation of the process itself. In the same example, the tester performs an onboarding to grant access to a new user, attempts an authorised transaction with those credentials, then offboards the identity; they then review the logs to verify all transactions executed and were tracked correctly. The substantive test gives a higher degree of assurance that the process behaves as expected, but takes more time and resources.
Distinguish this from compliance testing in the broad sense (also called conformity testing), which validates that a system has been designed and configured to meet the organisation's security requirements: that is the right answer when the question is about validating against defined standards. Note finally: the substantive test is also the technique by which an auditor obtains evidence to support their opinion.
- Compliance test = control existence/operation (compare 2 lists).
- Substantive test = proper process operation (onboarding -> transaction -> offboarding -> logs).
- Substantive = more assurance but more costly.
- Compliance/conformity testing validates against the organisation's standards.
Case studies
Which method for which control?
Context : An assessor must evaluate three controls at Bank UYT: (a) the password policy, (b) actual adherence to the account revocation procedure when an employee leaves, (c) the presence of a technical control restricting access to a critical system to business hours.
Question : For each control, which method (examination, interview, testing) fits best, and why?
Show analysis and answer
(a) Password policy: examination - just read the document and check the system configuration. (b) Revocation adherence: interview (to understand actual practice vs the documented procedure) plus a substantive test (run an offboarding and check the logs). (c) Time control: testing - attempt an out-of-hours access and verify the denial, relying on logs as artifacts (positive and negative evidence). A complete control often combines several methods.
Takeaway : Administrative -> examination; practice/doc gap -> interview; technical behaviour -> testing. Logs serve as positive and negative evidence.
- Pick the method by the nature of the control.
- A substantive test proves operation, not just existence.
- Logs provide positive AND negative evidence.
All frameworks require log review
NIST SP 800-92, GLBA and SOX (like HIPAA, PCI DSS) all stress log management and review. To the trick question asking which one does NOT require it, the answer is: they all do. Knowing what is happening and what has happened enables action (offense informs defense, a CIS tenet).
Statistical vs judgmental sampling
Statistical sampling infers a control's performance via probability over the whole population. Judgmental (purposive/authoritative) sampling rests on the assessor's judgment, prioritising the riskiest items. Don't confuse the basis (probability) with the criterion (judgment).
Checkpoint — Knowledge check
-
All major frameworks stress logging. Which of the following does NOT require log management and review?
- A NIST SP 800-92
- B Gramm-Leach-Bliley Act (GLBA)
- C Sarbanes-Oxley Act (SOX)
- D They all do
Answer & rationale
Answer : D — They all do
NIST SP 800-92, GLBA and SOX all stress effective and timely log management and review (offense informs defense, CIS). None is exempt.
-
A tester creates an account, uses it for an authorised transaction, deletes it, then checks the logs. What test type is this?
- A Substantive test
- B Compliance test
- C Misuse case test
- D Synthetic transaction
Answer & rationale
Answer : A — Substantive test
Testing the end-to-end proper operation of the process is a substantive test (more assurance, more resources). A compliance test would merely compare two lists to verify the control's existence.
Key takeaways
- Three methods: testing, examination, interview, often combined.
- Tailoring = refresh threat landscape, business logic, compliance.
- Statistical (probability) vs judgmental (judgment, risk) sampling.
- Compliance test = existence; substantive test = operation.
- All frameworks require log review; secure and retain.
Vulnerability assessment and penetration testing
Prerequisites : Modules 1-2; threat and vulnerability notions (Domain 1).
This module covers the two pillars of offensive testing: vulnerability assessment, which identifies known weaknesses, and ethical penetration testing, which attempts to exploit them within a strict legal frame. It addresses CVSS, rules of engagement, box testing, red/blue/purple teams, the five-phase methodology and continuous testing approaches (BAS, chaos engineering).
3.1 Vulnerability assessment and CVSS
Vulnerability assessment is an essential task in evaluating a system's security. A vulnerability is a weakness that, if exploited, could compromise the confidentiality, integrity or availability of an asset. Caution: the existence of a weakness does not mean it is exploitable by a threat. A vulnerability is not an exploit.
Vulnerability scanners automate the identification of known vulnerabilities in configurations, settings and software. They can be authenticated (with credentials, a more precise inside view) or unauthenticated (an external attacker's view). They also detect the use of insecure protocols like FTP - even if compensating controls (network segmentation, usage restriction) can mitigate the risk. Evaluating identified vulnerabilities means analysing their impact given the organisation's unique configurations and circumstances, and handling false positives (erroneous alerts).
To prioritise, use CVSS (Common Vulnerability Scoring System), which scores technical severity from 0 to 10: None (0), Low (0.1-3.9), Medium (4.0-6.9), High (7.0-8.9), Critical (9.0-10). CVSS measures intrinsic severity; it pairs usefully with EPSS, which estimates the probability of exploitation. Typical SLA prioritisation reserves the shortest deadlines for Critical and High vulnerabilities.
- A vulnerability is not an exploit (weakness vs real exploitability).
- Authenticated scanner (inside view) vs unauthenticated (attacker view).
- CVSS: None/Low/Medium/High/Critical, technical severity 0-10.
- CVSS (severity) + EPSS (probability) = better prioritisation.
- Handle false positives and compensating controls.
3.2 Ethical penetration testing: RoE and scope
Penetration testing simulates a threat actor's actions using information the actor would have. It is a controlled process, governed by Rules of Engagement (RoE) detailing the circumstances of the attempt. Useful to determine whether controls are effective, it poses significant risk if poorly conducted. RoE define scope, methods, constraints, the individuals authorising the test, incident reporting procedures and liability limits.
Key legal point: without a signed contract, the tester faces criminal and civil charges in many jurisdictions, and can be held liable for disruptions caused. Hence the term ethical penetration testing: the test is tied to a contractual, legal and ethical basis. Sophisticated attackers use the same techniques, but their intent makes their activity unethical and probably illegal. The code of ethics requires the tester not to disclose their activities and findings without the sponsor's written consent, on top of contractual NDAs.
Scope depends on objectives. PCI DSS, for instance, may require covering the cardholder data environment and demand both network AND application testing. Other scenarios include a wireless component, social engineering or physical intrusion. The test may be blind (the tester is blind to technical details) or double-blind (the defending team - the blue team - is also not warned), which exercises detection and response but requires deconfliction if the defenders discover the test.
- RoE define scope, authorisation, reporting, liability.
- Without a signed contract: criminal and civil risk for the tester.
- Ethical = contractual/legal/ethical basis; same techniques as the attacker.
- Blind = tester blind; double-blind = blue team not warned.
- Scope follows objectives (network, app, wireless, social, physical).
3.3 Box testing and the five-phase methodology
The level of knowledge granted to the tester defines the box testing type. White-box (or crystal-box) gives full knowledge of the system (IP addresses, versions): maximum coverage, mimics an insider threat, fastest and often cheapest, but controls that hide information from outsiders (like NAT) are not assessed. Black-box grants no knowledge: the tester runs reconnaissance, which confirms controls meant to conceal information, at the risk of missing assets. Gray-box blends the two: partial information, the tester discovers the rest. Reminder: a real attacker is not constrained by time or billing, unlike the tester whose contract lasts a few weeks.
The methodology follows five phases. 1) Chartering: drafting RoE, formal risk assessment, integration into the contract if third party. 2) Discovery: reconnaissance to map the environment (sometimes unnecessary if the RoE already define the systems). 3) Scanning: identifying and fingerprinting weaknesses to craft exploits. 4) Exploitation: delivering the exploit and documenting; when withdrawing, the tester ensures they do not increase the risk of exploitation by a malicious actor. 5) Reporting: compiling activities, executive summary, recommendations, returning all material (including credentials obtained). There is no single standard: the exact sequence must be documented in the RoE.
- White box = full knowledge (fast, NAT not tested); black box = blind; gray box = hybrid.
- 5 phases: Chartering, Discovery, Scanning, Exploitation, Reporting.
- The attacker has no time constraint; the tester does.
- Return all material, including credentials obtained.
- No single standard: document the sequence in the RoE.
3.4 Red, blue, purple team and ethical hacking
Depending on objectives (e.g. response readiness), several teams take part. The red team simulates a malicious attacker to assess security posture: its goal is to identify vulnerabilities, exploit weaknesses and gauge the effectiveness of existing measures. The blue team represents the defenders (internal security team): it monitors, detects and responds to the simulated attacks, evaluating defensive strategies, incident response capabilities and resilience. The purple team combines both: it fosters collaboration and knowledge sharing between attackers and defenders, to close defensive gaps and recommend improvements.
Ethical penetration testing should not be confused with ethical hacking, which gathers the efforts of amateur or professional researchers to probe and detect vulnerabilities. Bug bounty programs encourage these informal attempts: hacking is ethical there as long as the researcher respects the program's terms and does not disclose results to third parties. Google Project Zero is an emblematic example. The legal context matters: in the US, DMCA section 1201 makes circumventing digital protections an offence, limiting independent evaluation of cryptographic protections.
- Red = attack; blue = defence; purple = collaboration of both.
- Ethical hacking (bug bounty, Project Zero) != ethical penetration testing.
- Hacking stays ethical if it respects terms and does not disclose.
- DMCA 1201 limits independent evaluation of protections.
3.5 Continuous testing: BAS, ATT&CK, chaos engineering
A penetration test is a point-in-time activity: it reflects one set of tests at a moment, while the environment and threats evolve fast. Several continuous testing approaches complement the frameworks that expect continuous monitoring.
MITRE ATT&CK, a knowledge base of adversary tactics and techniques, helps test resilience by emulating attacker behaviour. Breach and attack simulation (BAS) tools automate these tests to run continuously against the infrastructure; coupled with threat intelligence and integrated with change management, they offer a different level of assurance than traditional pentesting. BAS combines vulnerability scanning and automated penetration testing, with a constantly updated attack database. It enables more frequent testing than quarterly scans or annual pentests: if a simulated attack is blocked, controls work; if it succeeds, it signals a deficient control or a new risk.
Chaos engineering forces production systems to fail to evaluate detection, response and recovery capabilities. Its no-notice tests heavily stress people and systems: teams are not warned and treat the outage as a real attack. Handle with care: many systems are not engineered to withstand a production shutdown without cost, and the approach does not simulate a true attacker (disruptions are scripted by insiders).
- The pentest is point-in-time; continuous testing fills the gap.
- BAS = scan + automated pentest, continuous, updated attack database.
- MITRE ATT&CK emulates adversary behaviour.
- Chaos engineering = no-notice, stresses systems, does not simulate a true attacker.
Case studies
When a physical pentest goes wrong
Context : Coalfire, engaged by the State of Iowa, runs physical pentests on municipal buildings. After two courthouses tested successfully, two employees are arrested at the Dallas County courthouse in September 2019, charged with burglary. A contract existed at state level but had not been communicated to the individual counties. All charges are eventually dropped in January 2020.
Question : What type of pentest was being run? From the company's view, where did it go wrong, and what should have been done? (6.2.2)
Show analysis and answer
It is a physical pentest with a social engineering component. The company's mistake: failing to communicate the test to all relevant authorities - the contract existed at state level but not at county level. The absence of incidents in prior tests may have been luck or prior notice to other counties. Testers should have known that some alarms are silent and others audible; once the alarm tripped, they should have stayed outside, waited for police and presented their letter of authority, rather than entering. Central lesson: clear communication and contingency processes are essential to any pentest. Without a properly disseminated contract, the tester faces criminal exposure.
Takeaway : A pentest, especially physical, needs RoE disseminated to all parties and a contingency plan; without that, even a valid contract does not prevent arrest.
- Disseminate RoE to ALL relevant authorities.
- On alarm, stop and present authorisation, do not enter.
- An existing contract is not enough if not communicated.
Choosing the right pentest for MLZ Systems
Context : Lee, from Swinkler Security, reports to MLZ Systems that he could freely access several sensitive sites without showing ID, photograph documents and find unlocked workstations. He recommends a formal, structured penetration test of all MLZ and partner sites.
Question : What did Lee do? Which pentest is appropriate (internal/external), which box, is social engineering required, and who receives the report? (6.1.1-4, 6.2.2)
Show analysis and answer
Lee ran an informal security reconnaissance (not a formal, scheduled or fully ethical pentest), but useful to know. The appropriate pentest is both internal AND external, because the findings may reveal a larger, still-invisible problem. The best approach is white-box: fastest, cheapest and most complete here. Social engineering is required, since it was a security failure at Lee's point of entry that triggered the need. RoE must include type and scope, client contacts, a communication plan, timelines, meetings and reports - but NOT the list of tools or the testers' identities. The report goes to senior staff and security at MLZ and its partners, not the public or customers; excerpts may appear in a SOC 2 report on request.
Takeaway : Informal reconnaissance != formal pentest; here internal+external, white-box, social engineering included; RoE exclude tools and tester identities; the report stays confidential.
- RoE do not include tools or tester identities.
- A pentest report is confidential (not public, not for customers).
- White-box = fastest and most complete when you want the best result.
A vulnerability is not an exploit
The existence of a weakness does not guarantee a threat can exploit it effectively. Vulnerability assessment identifies weaknesses; penetration testing attempts to exploit them. The scanner flags, the pentest proves exploitability.
Ethical hacking vs ethical penetration testing
Ethical penetration testing is contractually legal, governed by RoE. Ethical hacking (bug bounty, Project Zero) is more informal: it stays ethical as long as the researcher respects the terms and does not disclose. Don't confuse the pentest's strict contractual frame with vulnerability research.
White-box does not test NAT
White-box gives the tester everything: maximum coverage and insider simulation, but controls meant to hide information from outsiders (like NAT) are not assessed. Black-box, by contrast, confirms these concealment controls, at the risk of missing assets.
Checkpoint — Knowledge check
-
What is the primary goal of a red team exercise in penetration testing?
- A Simulate a threat actor's actions and identify vulnerabilities
- B Monitor and respond to simulated attacks
- C Collaborate with defenders for overall security enhancement
- D Conduct a controlled process with clearly defined RoE
Answer & rationale
Answer : A — Simulate a threat actor's actions and identify vulnerabilities
The red team simulates a malicious attacker to identify vulnerabilities, exploit weaknesses and gauge controls. Monitoring/responding = blue team; collaborating = purple team; the RoE-controlled process is a general pentest trait, not the red team's specific goal.
-
A vulnerability receives a CVSS score of 9.4. What interpretation and priority?
- A Critical: top remediation priority, shortest deadline
- B Medium: handle within 90 days
- C Low: negligible risk
- D CVSS measures exploitation probability, not severity
Answer & rationale
Answer : A — Critical: top remediation priority, shortest deadline
9.0-10 = Critical on the CVSS scale: maximum technical severity, top remediation priority. CVSS measures severity; EPSS estimates exploitation probability.
Key takeaways
- Vulnerability assessment identifies; pentest exploits. A vuln is not an exploit.
- CVSS scores severity (0-10); EPSS adds probability.
- RoE essential; without a signed contract, criminal risk.
- White/gray/black box by knowledge; red/blue/purple by role.
- Continuous testing: BAS, MITRE ATT&CK, chaos engineering complement the pentest.
Code review and software testing
Prerequisites : Modules 1-3; SDLC notions (Domain 8).
Code is the foundation of information systems: its review and testing are a crucial security control. This module covers code review (SAST, DAST, manual review), security-oriented tests (misuse case, negative testing), coverage measurement, interface testing, and monitoring techniques (synthetic transactions vs RUM).
4.1 Code review: objectives and SAST / DAST
Code review, more precisely source code analysis and review, aims to verify six things: all required functions exist; no foreign code is present; no dead or unreachable code remains; no backdoors or trapdoors; coding standards are met; all code is of trustworthy provenance. These objectives are not for development only: they assume rigorous configuration management, without which dead code can be reactivated and made exploitable by a small change elsewhere.
Testing can be manual (code peer review: a developer reviews a peer's work) or automated. Two families dominate. SAST (static application security testing) analyses code AT REST, without executing it: it models execution to detect buffer overflow, inconsistent data conditions, misuse of templates, outdated libraries, misconfigurations. It is a white-box approach, ideal for shift-left. DAST (dynamic analysis) tests the program WHILE RUNNING to observe actual behaviour: a black-box approach. A variant exists on compiled binaries (static binary analysis), less precise than on source.
The shift-left philosophy (Agile, DevOps, DevSecOps) moves security tasks to the left of the project timeline: architecture review and threat modeling (prerequisites to testing, not testing) upstream, then SAST during development. ISO 27002 14.2.1 prescribes secure development rules and training in secure coding standards.
- 6 objectives: required functions, no foreign/dead/backdoor code, standards, provenance.
- SAST = code at rest (white box); DAST = running app (black box).
- Manual review (peer review) complements tools.
- Shift-left: threat modeling and arch review upstream, SAST during dev.
- Without configuration management, dead code can become exploitable again.
4.2 Misuse case and negative testing
A use case describes an intentional way of using a system to accomplish authorised work. Misuse case testing examines the opposite assumption: a set of actions that could cause integrity failures, malfunctions or compromises, whether deliberate and malicious or accidental. It is built into test plans, often focusing on system behaviour facing unexpected field values (wrong format, data far from the expected input). Simple example: a user enters their phone number in a field meant for their name. Modelling hostile agents and their misuse cases focuses the security professional's attention.
Negative testing, in contrast to a positive test (which checks the system works as expected and fails on any error), provides evidence of application behaviour facing invalid or unexpected data. Any provocation of failure should surface in testing rather than in production. The optimal response to a negative test is to gracefully reject the data without crashing. It is optimal to combine positive and negative tests.
Don't confuse the two: negative testing detects crashes in different situations; misuse case takes a hostile actor's viewpoint. Safety-critical systems blur the line (fail-safe requirement). Advances in automated testing, like fuzz testing (mutation or generation of inputs), allow tens of thousands of cases at the edges of the system's acceptable envelope - for owners and attackers alike.
- Misuse case = hostile viewpoint (deliberate or accidental).
- Negative test = invalid data, graceful rejection without crash.
- Positive + negative = thorough behaviour examination.
- Fuzzing (mutation/generation) automates edge cases.
4.3 Test coverage and test levels
The level of structural testing is measured by coverage metrics, which indicate the percentage of the software structure evaluated. By convention, speaking of coverage implies 100%: statement coverage means 100% of statements have been executed at least once. The main types: statement coverage (each statement at least once, insufficient alone); decision/branch coverage (each branch takes each outcome, minimum for most software, insufficient for high-integrity); condition coverage (each condition takes all its values); multi-condition coverage (all combinations of conditions); loop coverage (loops run zero, one, two and many times); path coverage (each feasible path, rarely achievable given the number of paths); data flow coverage (each feasible data flow). The target level should be proportionate to the software's risk.
Tests are also structured by level: unit (smallest isolated component), integration (modules together), system (whole system end to end) and acceptance (UAT, validation against business needs). Add cross-cutting tests: regression (verify a change broke nothing), positive, negative, and white-box / black-box approaches. Reaching 100% coverage is rarely realistic: cost and time-to-market pressure make it hard, especially on large code, even if not strictly impossible.
- Coverage = 100% by convention; statement < branch < path in demand.
- Coverage level proportionate to software risk.
- Levels: unit, integration, system, acceptance (UAT).
- Cross-cutting: regression, positive, negative, white/black box.
- 100% coverage rarely reached (cost, time-to-market).
4.4 Interface testing
An interface is a point of interaction with a system. Examples: the UI (human interaction, GUI with windows and menus, or command-line CLI) and APIs (system-to-system communication: REST for the web, IPC, RPC). Evaluating the functionality and security of interfaces is a crucial aspect of system testing: security controls must be implemented in them to ensure confidentiality (access controls) and non-repudiation (logging of actions). Interface testing is part of standard development testing and plays a role in security activities (vulnerability assessments, pentests, breach simulations).
Interface testing verifies that components (software and hardware) pass data and control to each other correctly, per their design. It differs from integration testing: it checks that distinct components are in sync and that functions like data transfer happen as designed. In particular, it verifies that application-server interactions execute correctly, that errors are properly handled, what happens if the user interrupts a transaction, or if a web server connection is reset. On the server side, it validates communication between web, application and database servers, and software/hardware/network compatibility. On external interfaces, it checks supported browsers and error conditions when the external application is unavailable.
- Interfaces: UI (GUI/CLI) and API (REST/RPC/IPC).
- Interface testing != integration testing (sync and data transfer).
- Interface security: access control (confidentiality) + logging (non-repudiation).
- Checks error handling, interruptions, resets.
4.5 Synthetic transactions and RUM
To evaluate the performance, response time and availability of applications, sites and services, two complementary approaches exist.
Synthetic transactions are automated activities run against a monitored target to evaluate its performance. For a web application, this can be logging in with a test account to verify the response to login or queries. The term transactions does not mean only financial transactions: any system activity (DNS resolution, IP assignment via DHCP) qualifies. Synthetic performance monitoring (or proactive monitoring) has external agents run scripts following a typical user's steps (search, view a product, log in, pay). It is testing by scripts, not by live actions, which distinguishes it from other test forms. It covers website monitoring, database monitoring, TCP port monitoring and SLA validation, and runs 24/7 even with no real traffic.
RUM (real-user monitoring), also called real-user measurement or end-user experience monitoring (EUM), is by contrast a form of passive monitoring: it captures and analyses every transaction of every real user of a site or application. Top-down, client-side RUM (small JavaScript scripts or local agents) sees directly the experience the user lives and the link between site speed and satisfaction. RUM also applies to people-intensive operations (call centres). Synthetic and RUM complement each other: synthetic watches availability during low-traffic periods, RUM measures real experience.
- Synthetic = automated scripts (active), 24/7 even without traffic.
- RUM = passive, captures every real-user transaction.
- Quiz cue: web test using scripts = synthetic.
- Synthetic and RUM complement each other (availability vs real experience).
Case studies
Choosing the right test from the symptom
Context : The Bank UYT team asks Prakash several software testing questions: (1) can 100% coverage be reached? (2) which test detects an out-of-bounds value entered in a field? (3) the web server displays SQL code during intermittent errors - which test would reveal it? (4) which test fixes a security issue?
Question : Answer the four questions with justification. (6.2.6-8, 6.2.1-10)
Show analysis and answer
(1) 100% coverage: the right answer is that total coverage, without fully automated testing, takes too long and costs too much to be practical - not strictly impossible, but push to market makes it hard on large code. (2) Out-of-bounds value entered by a user: misuse case test (tests incorrect use, accidental or deliberate); don't confuse with interface or synthetic. (3) SQL code leaking in an error message: interface testing - errors always occur, but the information in the message must stay minimal; returning SQL exposes the database's internal structure. (4) No test fixes a security issue: at best, a well-designed test identifies a problem; a remediation process must follow.
Takeaway : Misuse case = incorrect use; interface testing = leaks/errors at boundaries; no test fixes, it identifies. Remediation always follows testing.
- 100% coverage: possible but often impractical (cost, time).
- An out-of-bounds entered value = misuse case test.
- An SQL leak in an error = interface testing.
- No test fixes: remediation is always needed.
SAST vs DAST
SAST = static, code AT REST, no execution, white box (finds SQL injection, XSS, hardcoded secrets). DAST = dynamic, RUNNING application, black box. Fuzzing (mutation/generation) is a special case of DAST. Cue: S for Static (stopped), D for Dynamic (running).
Negative testing vs misuse case
Negative testing seeks crashes facing invalid data; the optimal response is a graceful rejection. Misuse case takes a hostile actor's viewpoint. They resemble each other but are not identical; safety-critical systems blur the line.
Synthetic transactions = test by scripts
Exam cue: a web application test relying on SCRIPTS rather than live actions is a synthetic transaction. Other forms (vulnerability, penetration) use live agents. RUM, by contrast, is passive and observes real users.
Checkpoint — Knowledge check
-
What type of web application test relies on scripts rather than live actions?
- A Synthetic
- B Vulnerability
- C Penetration
- D Conformity
Answer & rationale
Answer : A — Synthetic
Synthetic transactions have external agents run scripts following a typical user's steps. The other forms (vulnerability, penetration) use live agents; conformity testing validates against standards.
-
After a fix, a battery of tests is rerun to ensure no existing functionality was broken. Which test?
- A Regression testing
- B Negative testing
- C Acceptance testing
- D Misuse case testing
Answer & rationale
Answer : A — Regression testing
Regression testing verifies a change did not break existing functionality. Negative testing addresses invalid data, acceptance validates against business needs, misuse case takes the hostile viewpoint.
Key takeaways
- SAST = code at rest (white box); DAST = running app (black box); IAST combines.
- Misuse case (hostile) and negative (invalid data) are close but distinct.
- Coverage = 100% by convention; rarely reached in practice.
- Levels: unit, integration, system, acceptance; + regression, positive, negative.
- Synthetic = active scripts; RUM = passive observation of real users.
Collecting security process data
Prerequisites : Domain 5 (IAM, AAA); Modules 1-2.
A security decision is only as good as its data. This module shows how to collect and manage process data from account management, management review, indicators (KPI/KRI) and backup verification, to drive data-driven security.
5.1 Account management and IAM review
An account is the set of credentials used to access a resource. Since access control is the bedrock of IS security, collecting process data focuses first on account management. It supports business functions by: assigning account managers; setting conditions for group or role membership; specifying authorised users; requiring approval for authorisations (creating, enabling, modifying, disabling, removing access); monitoring account usage; notifying the manager when access is no longer needed; reviewing accounts for compliance. Access control is an example of a blended control: policies enforced by procedures, implemented by technology, sometimes with physical controls (badges, smart cards).
IAM review rests on three central information sets. The identity store is the centralised repository of all information about an identity; it also records decisions to grant, remove or downgrade permissions. The integrated IAM system maintains its authentication and authorisation databases (the 3rd A of AAA: authentication, authorization, accounting). System and application logs, monitoring agents and sensors record indicators of user actions. User behaviour modelling can detect indicators triggering account reviews. As jobs change and, ultimately, people leave, accesses are modified, disabled, deprovisioned then deleted. Auditing these sources provides rich material for security assessment.
- Access control is the bedrock: start with account management.
- Approval required to create/enable/modify/disable/remove access.
- Three IAM sources: identity store, AAA system, logs/monitoring.
- Access control = blended control (policy + tech + physical).
5.2 Management review and approval
Management is responsible for defining and executing the organisation's mission, including security and privacy. To ensure controls reduce risk to an acceptable level, it conducts reviews and approves security process data. ISO 27001 requires top management to review the ISMS at planned intervals to ensure its continuing suitability, adequacy and effectiveness - an expectation echoed by NIST, ITIL and COBIT 5.
Management review should include (but not be limited to): exemptions from normal activities, information from previous reviews, ongoing outcome metrics, audit results, whether security objectives have been met, feedback from interested parties, and risk assessment reporting with the treatment plan. The goal is to support continual process improvement. Many organisations still rely on subjective judgments to prioritise, whereas major frameworks require statistical methods, metrics and benchmarks - which assumes logging and monitoring provide the necessary data-driven information.
System owners have similar responsibilities for their own stores: they identify their risk tolerance, compliance obligations, and decide to authorise a system's use. They are essential to determine whether selected controls meet their objectives. Environment changes (new business lines, systems, compliance, mergers/acquisitions) can affect control effectiveness, hence continuous monitoring generating metrics and indicators.
- Management reviews and approves to keep controls effective.
- ISO 27001: ISMS review at planned intervals (suitability, adequacy, effectiveness).
- Inputs: exemptions, audits, metrics, objectives, feedback, risk.
- Data-driven decisions > subjective judgment.
5.3 KPI and KRI: measuring the past and anticipating the future
You only manage well what you measure. Security metrics serve as key performance indicators (KPI) and key risk indicators (KRI). Mind the metric vs indicator distinction: a metric is a plain measurement (the number of patches applied), while an indicator uses metrics and provides context (an indication). Example: the ratio of patched endpoints to the total is an indicator of patch management effectiveness; if you expect 100% coverage by D+7 and the figure is below, the indicator signals corrective action.
KPI and KRI differ in their time orientation. KPIs look at the past: the activity already happened, were goals met? They help correct future actions, can reveal underperforming segments, justify rewards and reassure a client base. KRIs look at the future: they capture how the changing risk landscape might affect the organisation, using modelling, analysis or educated estimation. They allow assessing a risk's likelihood and triggering proactive action - for example, a rise in malicious traffic volume blocked by a firewall may indicate the need to upgrade it before it is overwhelmed. KRIs often support long-term decisions (budget, resources) and must be reviewed via formal change management when risk evolves.
- Metric = measurement; indicator = metric + context.
- KPI = past (goals met?); KRI = future (emerging risk).
- KRIs trigger proactive action (e.g. firewall upgrade).
- Review KRIs via change management when risk changes.
5.4 Backup verification and availability services
Availability services are another source of process data, because their performance drives the organisation's ability to meet its commitments and compliance obligations. Availability data is routinely audited.
Data and system backups are essential integrity and availability controls. The first step is to identify critical data and systems, then design a backup strategy suited to recovery needs. Once procedures are in place, it is crucial to verify the integrity of the backup PROCESS AND the backed-up data. Both are evaluated by a test restore from the backup media, to ensure all required data is present and readable. If data is missing, it may indicate misconfiguration (excluded directories or systems) or media corruption. Some backup systems include automatic integrity checking, generate alerts on loss and retry the backup.
On compliance, ISO 27001 Annex A:12.3 is the principal control, but the need for backup appears across many controls. FIPS 200 covers the Contingency Planning (CP) and Media Protection (MP) families. HIPAA requires both a data backup plan and a business contingency plan, and the Availability TSC criterion sets similar expectations for a SOC 2. Developing an availability programme extends risk management practice: execution is IT's job, but it is directed by the risk of data loss or failure.
- Verify integrity of the PROCESS and the DATA via a test restore.
- Missing data = misconfiguration or corrupted media.
- ISO A.12.3, FIPS 200 (CP/MP), HIPAA, TSC Availability.
- The availability programme is risk-driven, IT-executed.
Case studies
What should management review be based on?
Context : Prakash notices that at Bank UYT, the prioritisation of management review and approval activities is not always based on reliable metrics.
Question : To support continual process improvement and best practice, what should management review and approval include? (6.3.2)
Show analysis and answer
Management review should include, but not be limited to: exemptions from normal activities; information from previous reviews; ongoing outcome metrics; audit results; whether security objectives have been met; feedback from interested parties; risk assessment reporting and the treatment plan. Relying on statistical methods, metrics and benchmarks - rather than subjective judgments - is what major frameworks demand. This assumes logging and monitoring tools provide the data-driven information needed for reliable prioritisation.
Takeaway : Effective management review relies on documented metrics, audits, objectives and risks, not impressions; logging provides the data-driven material.
- List inputs: exemptions, audits, metrics, objectives, feedback, risk.
- Prioritise on data, not subjective judgments.
- Logging feeds data-driven decisions.
KPI vs KRI
KRIs monitor emerging risks (forward-looking, proactive). KPIs measure goal achievement (backward-looking). Classic trap: assigning KRIs the role of measuring goal achievement - that is the KPI's role. A KRI warns early of a risk, not of team performance.
Verify the backup, not just run it
Backing up is not enough: you must verify via a test restore that data is present AND readable, and that the process itself has integrity. Missing data reveals faulty config (exclusions) or corrupted media.
Checkpoint — Knowledge check
-
Which statement is true of key risk indicators (KRIs)?
- A KRIs monitor emerging risks
- B KRIs show whether goals have been met
- C KRIs shed light on performance metrics
- D KRIs alert when team metrics have not been met
Answer & rationale
Answer : A — KRIs monitor emerging risks
KRIs are designed to track and early-warn on emerging risks. Showing goal achievement is the KPIs' role. KRIs are neither performance metrics nor team alerts.
-
How do you reliably verify a backup is usable?
- A Perform a test restore from the media and check that data is present and readable
- B Check that the backup job finished without error
- C Compare the backup file size to the day before
- D Look at the retention schedule
Answer & rationale
Answer : A — Perform a test restore from the media and check that data is present and readable
Only a test restore proves the integrity of the process AND the data. A finished job, a size or a schedule do not guarantee data is present and readable.
Key takeaways
- Account management is the bedrock; three IAM sources (identity store, AAA, logs).
- Management review approves on metrics, audits, objectives, risks.
- Metric = measurement; indicator = metric + context.
- KPI = past (goals); KRI = future (emerging risk, proactive).
- Verify backups via test restore (process AND data).
SETA and continuity testing (BC/DR)
Prerequisites : Module 5; BC/DR notions (Domain 7).
Users are both a high-value target and a critical line of defence; and an organisation's resilience is proven by testing its plans. This module covers SETA programmes (security education, training, awareness) and continuity and recovery testing (BC/DR), from desk check to full cutover.
6.1 SETA: education, training, awareness
The security environment changes fast: establishing and maintaining a security education, training and awareness (SETA) programme is vital, because users are both a critical line of defence and a high-value target. The three activities differ. Education presents a body of knowledge applicable to a broad range of problems; as the body evolves fast, a professional's education never stops (ISC2 members must demonstrate continuing education). Training targets acquiring specific knowledge to perform a task (configuring and using a technology or control correctly). Awareness is more general: NIST SP 800-50 distinguishes the two by saying training teaches skills, while awareness focuses attention on an issue.
A SETA's structure and effectiveness depend on the organisation's policy and strategy. A needs assessment, initial and continuous, determines the training strategy and justifies resource allocation. It must involve key roles with specific training needs: executive management (understand directives and laws), security personnel (experts in policy and best practices), system owners (strong understanding of controls), system administrators and IT support (technical knowledge), operational managers and users (awareness and rules of behaviour). FIPS 200 identifies the Awareness and Training (AT) family; ISO 27001 A.7.2.2 has a similar expectation.
Evaluating effectiveness is hard: counting attendees shows no behaviour change. Anti-phishing campaigns, which send fake emails and track responses, are one way to quantify the effect. Successful SETA programmes have meaningful evaluation measures (completion rates, long-term retention, coverage, audience tailoring), reused for retraining and re-evaluation.
- Education (broad) < training (skill/task) < awareness (attention).
- NIST SP 800-50: training teaches, awareness focuses.
- The needs assessment targets each role (exec, security, owners, admins, users).
- Audience tailoring = relevance and effectiveness (SETA answer).
- Measure effectiveness: anti-phishing, completion, retention, coverage.
6.2 BC and DR: two distinct processes
Disaster recovery (DR) and business continuity (BC) are often paired but distinct. DR means planning and implementing strategies to restore IT systems, data and operations after a disaster (natural disaster, cyberattack, hardware failure): it ensures quick recovery and minimises downtime, protecting data integrity and business functionality. BC focuses on maintaining essential business functions during and after a disaster: it goes beyond IT (employee safety, communication protocols, alternative work sites), to support core operations, customer service and limit financial losses. Together, BC and DR form the organisation's resilience.
Process data related to BC and DR is of great interest to controls assessors. Major standards expect risk-driven BC/DR planning: NIST SP 800-34 (Contingency Planning Guide) charts a road map; ISO 27031 addresses IS continuity and aligns with ISO 22301 (Business Continuity Management Systems). Many sectors (finance, nuclear, aviation, critical infrastructure) impose high resilience expectations, sometimes with a regular, documented full-scale demonstration.
A well-established dictum reminds us that the disaster you get is never the one you plan for. The plan, as an artifact, demonstrates commitment, but the true test is showing the organisation can execute it. Hence the importance of training teams in conducting recovery, with progressive complexity and breadth.
- DR = restore IT/data; BC = sustain the business (beyond IT).
- Risk-driven BC/DR planning (BIA).
- Standards: NIST SP 800-34, ISO 27031, ISO 22301.
- The plan proves commitment; the test proves execution.
6.3 Testing BC/DR plans: from desk check to full cutover
BC/DR testing and training is process data of first interest to the assessor: it demonstrates control effectiveness and feeds continual improvement. The training programme should progress in complexity and organisational breadth, each successful event preparing the next. A typical progressive programme is ordered as follows.
The desk check: each member reviews operational documentation, rosters, their availability and their version of the DR plan; expected result: everyone has a current plan. The walk-through: using manuals, DR teams explain their roles and activities; result: they understand their role relative to each other and deconflict overlaps. The tabletop exercise: team leaders are presented a disaster scenario and discuss their response; result: deconfliction of roles and identification of major plan weaknesses. The simulation: a disaster is simulated OUTSIDE the production environment, DR activities are performed there; result: demonstration of recovery capabilities within the scenario context. The parallel: a disaster is simulated while production continues; result: demonstration of full recovery without disrupting production. The full cutover (full-interruption): a disaster is invoked that actually affects production; result: recovery of the production environment within established parameters.
Classic trap: a fire evacuation drill is a walk-through (step-by-step review of procedures without real-time execution), not a simulation. The results of these activities are documented and made available to assessors and other parties for process improvement.
- Increasing order: desk check, walk-through, tabletop, simulation, parallel, full cutover.
- Parallel = production kept up; full cutover = production affected.
- Trap: a fire evacuation = walk-through, not a simulation.
- Document results for continual improvement.
Case studies
What WannaCry teaches about continuous testing and DR
Context : In May 2017, the WannaCry ransomware exploited the Windows EternalBlue vulnerability (a patch existed but many systems remained unpatched), spreading via phishing. It encrypts files and demands ransom. Global impact, including major disruption at the UK NHS. The response mobilised international cooperation.
Question : How does WannaCry underscore the importance of continuous pentesting, a well-defined DR, international BC and continuous user training? (6.2.2, 6.3.5, 6.3.6)
Show analysis and answer
WannaCry exploited unpatched systems: continuous pentesting and vulnerability assessment (beyond initial setup) are essential to identify and fix vulnerabilities before exploitation. DR: the attack not only encrypted data, it cut access to systems; a good DR plan must therefore cover restoring system FUNCTIONALITY, not just data recovery. BC: the global scale shows the importance of cross-border collaboration - sharing threat intelligence and coordinated responses mitigate the impact of widespread incidents. Training: threats evolve; continuous awareness keeps users informed of emerging vectors, beyond static sessions. A classic DR strategy weakness is dependence on a single point of failure.
Takeaway : Test continuously, design a DR covering functionality (not just data), cooperate internationally and train continuously: WannaCry illustrates all four.
- Patching and testing continuously prevents exploitation of known vulnerabilities.
- A DR must restore functionality, not just data.
- Dependence on a single point of failure is a DR weakness.
Testing MLZ's recovery plan
Context : MLZ's CSO is worried about the state of the Disaster Recovery Plan (DRP) after hearing a peer's difficulties. He urges management to prioritise collecting DRP-related process data: risk reduction, financial protection, operational continuity, compliance.
Question : What is the purpose of regularly testing a DRP, what is a typical DR strategy weakness, and what to consider when updating it?
Show analysis and answer
The purpose of regularly testing a DRP is to identify and fix weaknesses; the overall aim is to minimise the impact of a disruption and return to an acceptable level of performance after a disaster. A typical weakness is dependence on a single point of failure: based on each system's business impact analysis, continuity activities reduce the likelihood and consequence of a failure. When updating a DRP, it must be regularly reviewed and aligned with changes: documenting these activities is process data that feeds continual improvement and demonstrates effectiveness to assessors.
Takeaway : Testing a DRP serves to find weaknesses; avoid the single point of failure; regularly review and align the plan with changes.
- Testing a DRP identifies and fixes weaknesses.
- The single point of failure is the weakness to hunt.
- Review the plan regularly and align it with changes.
A fire evacuation is a walk-through
In the BC/DR context, a fire evacuation drill is a walk-through: a step-by-step review of procedures without real-time execution. It is neither a tabletop (in-room discussion), nor a simulation (replica of real conditions off production), nor a parallel.
Parallel vs full cutover
The parallel test simulates a disaster while KEEPING production up: recovery is demonstrated without interruption. The full cutover (full-interruption) really switches over and AFFECTS production. Full cutover is the most realistic but riskiest.
Training teaches, awareness focuses
NIST SP 800-50: training teaches skills to perform a function; awareness focuses attention on an issue. Education conveys a broad body of knowledge. Tailoring to the audience ensures relevance and effectiveness.
Checkpoint — Knowledge check
-
In a BC/DR testing program, what form is a building fire evacuation?
- A Walk-through
- B Parallel
- C Tabletop
- D Simulation
Answer & rationale
Answer : A — Walk-through
A fire evacuation is a walk-through: a step-by-step review of procedures, without real-time execution. Parallel compares primary/backup systems, tabletop is an in-room discussion, simulation replicates real conditions in an orchestrated way.
-
Why establish and maintain a security awareness, education and training program?
- A Tailoring training to audience needs ensures relevance and effectiveness
- B Users are only a potential target for attacks
- C Users are not critical in the defence against attacks
- D Long-term information retention is unnecessary
Answer & rationale
Answer : A — Tailoring training to audience needs ensures relevance and effectiveness
Understanding audience needs allows tailoring the level and material, strengthening relevance and effectiveness. Users are both a target AND a critical line of defence, and long-term retention is essential.
Key takeaways
- Education (broad), training (task), awareness (attention); tailor to the audience.
- DR restores IT/data; BC sustains the business beyond IT.
- Increasing BC/DR tests: desk check, walk-through, tabletop, simulation, parallel, full cutover.
- Fire evacuation = walk-through; parallel keeps prod up, full cutover affects it.
- Document tests for continual improvement and the assessor.
Analyze test output and generate report
Prerequisites : Modules 1-6; change management (Domain 7).
Testing is pointless if you do not act on the results. This module covers remediation, continual improvement models (PDCA, Six Sigma), exception handling within risk tolerance, and ethical disclosure of vulnerabilities (full, responsible, non-disclosure), through to mandatory reporting and whistleblowing.
7.1 Remediation and continual improvement
The CISSP must establish a process, called remediation, to address findings from tests, assessments and audits. This mobilises project management skills: prioritise tasks, set timelines and milestones, track progress to completion. Audit findings can feed other parts of the programme (risk analysis): a deficient control reveals a poorly mitigated risk, which should trigger a review of the risk management process.
Control-environment changes fit a continual improvement approach. The most common model is PDCA (Plan-Do-Check-Act), also called the Shewhart or Deming wheel, in four steps. Plan: decide what needs to be done, set objectives and processes. Do: execute the plan (on a small scale). Check: evaluate results (statistical measures, observations, evaluations). Act (Adjust): from the Do and Check phases, identify root causes, reassess risk, reset the baseline; then the cycle restarts.
Six Sigma applies a similar five-step model (Define, Measure, Analyze, Improve, Control - DMAIC), repeated until the desired quality level. All major frameworks apply continual improvement to better align control performance with risk. Maturity (CMM) follows the same logic. No single model fits every organisation: tailoring considers culture, risk management, prioritisation, compliance and change management. Continual improvement is as much a mindset as a process.
- Remediation is a project management process (priority, milestones, tracking).
- A finding can feed risk analysis.
- PDCA = Plan, Do, Check, Act (Deming/Shewhart wheel).
- Six Sigma = DMAIC (5 steps); no universal model.
7.2 Exception handling
When a finding or indicator establishes that a control does not reach the agreed level of risk reduction, the usual response is to improve the control. In certain circumstances, the appropriate response is instead to adjust risk tolerance to align with control performance. The change management process must engage the system owner to determine the proper course.
When an evaluation reveals an issue that cannot be remediated, it must go through an exception process, modelled on policy exceptions (used when a system cannot meet a requirement). Exceptions may be granted, but only temporarily. If a permanent exception is requested, or if the same issue prompts repeated requests, it signals misalignment with the organisation's objectives, warranting updates to policies or governance decisions.
Concretely: if the situation is temporary and the system owner accepts the risk, change management documents the circumstances and flags the exception for review at an agreed date or event. If the owner refuses the additional risk, they must either resource the additional control or take other measures covering the new risk level. In all cases, exceptions must be documented, authorised and reviewed.
- Insufficient control: improve the control, or adjust risk tolerance.
- Exceptions are temporary, never permanent by default.
- A permanent/repeated request signals misalignment (revisit the policy).
- Every exception: documented, authorised, reviewed.
7.3 Ethical disclosure of vulnerabilities
Web applications, sites and services likely contain vulnerabilities. A community of researchers works to identify and report them responsibly, before a malicious actor exploits them: this is ethical or responsible disclosure. Organisations with web resources must be ready to receive these often-unexpected reports from external people. Three postures coexist.
Full disclosure: whoever discovers a weakness publishes it as fast as possible to all affected parties. Its advocates argue that not disclosing everything immediately leaves organisations at risk, and that public embarrassment pushes vendors to fix. Responsible disclosure: the discoverer first reports to the responsible organisation and gives it time to fix before publication; the delay is debated, but the idea is supported by Linus Torvalds, Microsoft, Google. Nondisclosure: do not disclose, sometimes the only legal and ethical path, when agreements (NDA), an ongoing investigation, privacy rights or protected financial data require it; safe harbor programs tried to create sharing channels but run afoul of GDPR.
Project Zero (Google, 2014) illustrates responsible disclosure: the team passes details to the vendor and, with no patch within 90 days, makes the weakness public; over 95% are fixed within the window. In the US, the Vulnerabilities Equities Process (VEP) arbitrates, case by case, the disclosure of vulnerabilities known to agencies. Add mandatory reporting (legal duty to report certain circumstances, e.g. crimes involving minors) and whistleblowing (ethical reporting, variably protected by jurisdiction, hence the value of professional insurance). The professional must clarify the legal status of whistleblowing before any disclosure.
- Full = everything, at once; responsible = grace period for the vendor; nondisclosure = do not disclose.
- Project Zero = 90-day responsible disclosure.
- Nondisclosure sometimes the only legal path (NDA, investigation, GDPR).
- Mandatory reporting (legal duty) != whistleblowing (ethical, variably protected).
Case studies
Setting up analysis and reporting
Context : After security testing, Prakash must analyse results and generate reports at Bank UYT, where no clear process existed. He asks his mentor to structure remediation, exception handling and ethical disclosure.
Question : How can Prakash prioritise remediation, handle exceptions and ethical disclosure, and ensure clear, actionable reports? (6.4.1-3)
Show analysis and answer
Prakash structures remediation as a project: prioritise by risk, set timelines and milestones, track to completion, and link findings to risk analysis. He sets up an exception process: any non-remediable issue is documented, authorised by the system owner, granted temporarily and reviewed at a deadline; a permanent or repeated request triggers a policy review. For ethical disclosure, he prepares the organisation to receive external reports and sets a posture (responsible disclosure by default, nondisclosure if law requires). On reporting, he tailors the level of detail to each audience, makes reports actionable (findings + recommendations), and relies on a continual improvement model (PDCA) to ensure a swift, effective response.
Takeaway : Prioritise by risk, document and review exceptions, choose a disclosure posture, and tailor reporting to the audience while keeping it actionable.
- Link findings to risk analysis.
- Exceptions: temporary, documented, authorised, reviewed.
- Tailor report detail to each audience, keep it actionable.
PDCA: no 'Calculate'
PDCA = Plan, Do, Check, Act. A classic trap offers 'Calculate' as a step: it is wrong. Six Sigma, by contrast, uses five steps (Define, Measure, Analyze, Improve, Control - DMAIC).
No test fixes: remediation is needed
A test, at best, identifies a problem; it does not fix it. After the testing phase always comes remediation. Likewise, an exception does not solve the risk, it formalises it temporarily pending treatment.
Responsible vs full disclosure
Responsible disclosure gives the vendor a grace period (Project Zero: 90 days) before publication. Full disclosure publishes immediately. Nondisclosure applies when NDA, investigation, privacy or protected financial data require it. Don't confuse the three.
Checkpoint — Knowledge check
-
PDCA is composed of four steps. Which is NOT one of them?
- A Calculate
- B Plan
- C Do
- D Act
Answer & rationale
Answer : A — Calculate
PDCA = Plan, Do, Check, Act. 'Calculate' is not one of them. Check (evaluating results) is the step often confused.
-
An external researcher reports a flaw to the vendor and gives 90 days before any publication. Which posture?
- A Responsible disclosure
- B Full disclosure
- C Nondisclosure
- D Mandatory reporting
Answer & rationale
Answer : A — Responsible disclosure
Reporting to the vendor and granting a grace period before publication is responsible disclosure (Project Zero model, 90 days). Full disclosure publishes immediately; nondisclosure does not disclose; mandatory reporting is a legal duty to report.
Key takeaways
- Remediation = project: prioritise, milestone, track; findings feed risk analysis.
- PDCA (Plan-Do-Check-Act) and Six Sigma (DMAIC) structure continual improvement.
- Exceptions: temporary, documented, authorised, reviewed.
- Disclosure: full (immediate), responsible (grace period), nondisclosure (NDA/law).
- Mandatory reporting (legal) and whistleblowing (ethical) complete disclosure.
Conduct or facilitate security audits
Prerequisites : Modules 1-7; SOC reports from Module 1.
Audit is the formal culmination of security evaluation. This module covers internal audits (chartering, scoping, testing, reporting, remediating with POA&M), SOC audit preparation, external audits and their types, plus third-party audits, managed services and the supply chain.
8.1 Internal audit and methodology
Assessments and audits can be conducted internally or by independent third parties. An independent evaluator gives more confidence in opinions, attestations and findings. Internal audit aims to determine whether controls meet the organisation's risk expectations; it also helps improve operational efficiency and prepare external audits. It is often conducted by the organisation itself (self-assessment), which demands rigour and a willingness to ask hard questions - many breached organisations discover their culture did not encourage this introspection.
Internal audit advantage: the auditors' familiarity with processes, tools and personnel. But that familiarity is also a risk: issues may be unintentionally overlooked, and the internal auditor may lack the independence for an objective assessment (temptation to downplay a major issue that would affect performance or relationships). Some organisations keep auditors on a separate team; for smaller ones, this is not always feasible.
The methodology follows phases. Chartering: management sponsors and resources the evaluation. Scoping: management determines depth, breadth, schedule, reporting format and who does the work (stakeholder engagement and risk assessment run throughout). Testing: conducting physical, technical and administrative controls (vulnerability assessment, penetration testing). Reporting: the report serves as a benchmark, a corrective tool or an artifact for external audit; the level of detail fits the audience, disclosure stays management's responsibility, and artifacts are protected. Remediating: associating results with corrective action; in the US, the Plan of Action and Milestones (POA&M) tracks the weakness, the proposed remediation, resources and schedule (NIST SP 800-37).
- Internal audit: benefit = familiarity; risk = lack of independence.
- Phases: chartering, scoping, testing, reporting, remediating.
- Management sets the scope; disclosure is its responsibility.
- POA&M tracks weakness, remediation, resources, schedule (NIST 800-37).
8.2 Preparing and conducting a SOC audit
For a service provider never audited before, preparing a first SOC examination typically follows two phases. The security professional plays a key advisory and execution role here.
The audit preparation phase begins by familiarising management and key personnel with the process and purpose of SOC examinations. The team then proceeds as with any major project: clearly establish schedule, scope and success criteria; determine the controls in the examination's scope, inventory current controls and identify missing ones; inventory documentation; use gap analysis techniques (readiness review) to identify and prioritise issues; develop and carry out recommendations to resolve discrepancies; verify resolution; and establish the audit and reporting approach best suited to external needs.
The audit phase starts once preparation is complete: the organisation is ready for its first formal audit. Having outside auditors examine the organisation in detail can be disruptive; good planning reduces it. It requires sound project management: build a detailed audit plan; collect all required artifacts in advance; provide access, workspaces and rooms; plan introduction meetings, progress reviews and outbriefings; conduct required tests and provide artifacts; allow auditors time for off-site analysis; resolve impediments collaboratively; provide draft and final report versions for management review; and conduct a post-audit (lessons-learned) review for the next cycle.
- First SOC: two phases (preparation then audit).
- Preparation: readiness review and gap analysis to close gaps.
- Audit: strong project management, artifacts collected in advance.
- Close with a lessons-learned review.
8.3 External audits: types and conduct
An external audit is an assessment by a third party demonstrating the organisation's controls meet a compliance standard - a standard that imposes consequences for non-compliance (financial penalties, criminal sanctions, activity limits). External audits are regular (risk, governance, finances) and employ an independent organisation with no conflict of interest; sometimes the compliance body audits. In all cases, the audited organisation is responsible for demonstrating compliance. External audits are often mandatory for regulatory compliance; their advantage is being thorough and unbiased, with auditors of specialised skill (e.g. SOC 2 under SSAE 18).
Chartering is the audited organisation's governing body's responsibility, setting schedule, scope, resources and coordination leads. Scope and objectives depend on the audit type and standard. The most common types: compliance audits (test specific controls vs a standard), financial audits (accuracy of financial reporting), operational audits (a process's internal controls), information systems audits (controls over IS development and operation), integrated audits (operational + financial), forensic audits (discover and report fraud or criminal activity).
Process: the auditee knows the applied standard in advance, allowing support preparation. Pre-audit planning identifies skills and resources, prepares an audit checklist (areas to investigate, artifacts, people to interview, schedule) shared with the auditee to close gaps. Audit execution collects artifacts, runs tests and interviews (on site and remotely). Audit reporting analyses and compiles a draft report shared with the auditee to correct errors and omissions, before presenting final results. The auditor must have sufficient expertise, possibly engaging a third party for specialised tests (authorised by the audit charter).
- External audit: independent, thorough, often mandatory; the auditee proves compliance.
- Types: compliance, financial, operational, IS, integrated, forensic.
- Pre-audit planning + audit checklist shared with the auditee.
- The draft report is reviewed with the auditee before final results.
8.4 Third-party audits, managed services and supply chain
Third-party relationships cover supply chains and providers: CSPs, ISPs, managed security services, consultants, but also hardware/software vendors (considered part of the supply chain). Third-party audit is a key risk management tool: the security practitioner can conduct the audit or request an audit report from the third party. The shared objective is to identify third-party risks that could impact your organisation and assess the effectiveness of mitigations. Common examples: SOC 2 and CSA STAR. Auditing the practices of third parties with access to your sensitive data is vital, because many privacy laws hold the data controller legally responsible for a breach, even one caused by a data processor (e.g. a cloud).
Two processes should drive identifying and characterising all third parties (risk, compliance, or both). Contract terms must establish security and compliance responsibilities; otherwise, that gap must be closed, contracts renegotiated. A third party may itself have relationships (its own providers or clients): the first party must identify the mix of risk and compliance and resolve it with the third party.
Managed services hand a third party responsibility for all or part of a set of functions. The security professional engages on two fronts: those delivering IT/security services (identity, incident response, BC/DR) and those who, on other services, have shared access to the organisation's assets. Ideally, a contract and SLA establish a cooperative relationship giving visibility into the provider's audits and allowing your own testing. At minimum, SLAs must grant summary-level information on security audits. Finally, organisations also exist in others' supply chains: supply chain management principles apply upstream (suppliers) and downstream (customers); the ISO 28000 series addresses supply chain security management. Evidence collection (field work) happens in person or remotely, on on-premises, cloud or hybrid assets, the shared responsibility model clarifying who owns which controls (e.g. physical security of the infrastructure provider's data centres).
- Third-party audit: conduct it or require a report (SOC 2, CSA STAR).
- The data controller remains liable for a breach caused by a processor.
- Managed services: require at minimum a summary of security audits (SLA).
- Upstream/downstream supply chain; ISO 28000; shared responsibility model.
Case studies
Engaging external auditors for an integrated audit
Context : Bank UYT's board informs Prakash that an external integrated audit of operational and financial system controls must be chartered soon.
Question : What criteria to select the auditors, how to align the audit with security objectives, and how to handle findings? (6.5.2, 6.5.3)
Show analysis and answer
Selection criteria: independence (no conflict of interest), specialised skills (an integrated audit combines operational and financial controls; for a SOC 2, SSAE 18 expertise is required), reputation, and ability to cover the board-defined scope. To align the audit with security objectives, Prakash takes part in chartering and scoping (the board sets schedule, scope, resources, coordinators), prepares an audit checklist shared with the auditors, collects artifacts in advance, and ensures the applied standard matches the bank's risks. To handle findings: review the draft report with the auditors to correct errors and omissions, then structure remediation (risk-based prioritisation, POA&M, milestones) and feed continual improvement, strengthening overall resilience.
Takeaway : Choose independent, qualified auditors (SSAE 18 for SOC 2); scope via charter/scope/checklist; review the draft then remediate via POA&M.
- Independence and specialisation come first when choosing an external auditor.
- The draft report is reviewed with the auditee before finalisation.
- Remediation is organised via a risk-prioritised POA&M.
The drawback of the internal audit
The main drawback of the internal audit is the lack of independence: familiarity with the organisation may incentivise downplaying a major issue (to avoid harming performance or relationships). Familiarity and effective problem identification are, by contrast, benefits.
Third party: SOC 2 Type II for a critical provider
For a provider integral to operations, a robust third-party audit strategy considers using third-party auditors, for example via a SOC 2 Type II report, which provides independent insight into its control effectiveness. Don't limit to internal resources or to regulated providers only.
Checkpoint — Knowledge check
-
What is a potential drawback of internal audits?
- A The incentive to downplay major issues
- B Lack of familiarity with processes and personnel
- C Effective identification of potential problems
- D Excessive independence from the organisation
Answer & rationale
Answer : A — The incentive to downplay major issues
Because of their familiarity with the organisation, internal auditors may lack independence, creating an incentive to downplay a major issue. Familiarity and effective problem identification are, by contrast, benefits.
-
For a provider critical to your operations, what is a sound third-party audit strategy?
- A Use third-party auditors, for example via a SOC 2 Type II report
- B Audit only with internal resources
- C Limit audits to regulated-service providers
- D Rely exclusively on internal stakeholder reports
Answer & rationale
Answer : A — Use third-party auditors, for example via a SOC 2 Type II report
Using third-party auditors, notably via a SOC 2 Type II, provides independent insight into the provider's control effectiveness. Limiting to internal resources, regulated providers only, or internal reports does not give a complete assessment.
Key takeaways
- Internal audit: familiarity (benefit) vs independence (risk); phases chartering->remediating.
- POA&M tracks weakness, remediation, resources, schedule.
- First SOC audit: preparation phase (readiness/gap analysis) then audit phase.
- External audit: independent, types compliance/financial/operational/IS/integrated/forensic.
- Third-party audit: SOC 2/CSA STAR; the data controller stays liable; ISO 28000 for the supply chain.
Domain summary
Security assessment and testing is an essential component of any successful security programme: structuring assessment practice, supporting audits and conducting meaningful control assessments keep activity within an acceptable level of risk.
The number and diversity of frameworks keep growing. Selecting a framework that fits the business process is best practice, but a framework is never a substitute for analysis: it is not a checklist that, once ticked, makes an organisation secure.
Several techniques combine: vulnerability scanning (automated tools finding known vulnerabilities), penetration testing (controlled exploitation to measure control effectiveness) and social engineering (psychological manipulation to test user vigilance). Add code review (SAST/DAST), synthetic transactions and RUM, misuse and negative testing, breach and attack simulation.
Collecting process data (account management, KPI/KRI, backups, SETA, BC/DR) feeds data-driven decisions. Analysing results drives remediation, exception handling and ethical disclosure via continual improvement models (PDCA, Six Sigma). Finally, internal, external and third-party audits - and reading SOC reports - provide the formal assurance stakeholders expect.
It is vital to run regular assessments and use their results to prioritise remediation and improve controls.
Glossary (Terms & Definitions)
The key Domain 6 terms, to master in English for the exam.
| Term | Definition |
|---|---|
| Artifact | A piece of evidence, such as text or a reference to a resource, submitted to support a response to a question. |
| Assessment | The testing or evaluation of controls in a system or organization to determine whether they are implemented correctly, operating as intended, and producing the desired outcome against security or privacy requirements. |
| Audit / Auditing | The process of reviewing a system for compliance against a standard or baseline; it can be formal and independent, or informal using internal staff. |
| Chaos Engineering | The discipline of experimenting on a software system in production to build confidence in its capability to withstand turbulent and unexpected conditions. |
| Compliance Calendar | A calendar tracking an organization's audits, assessments, required filings, and their due dates and related details. |
| Compliance Tests | An evaluation providing assurance that an organization's controls are applied in accordance with management policies and procedures. |
| Ethical Penetration Testing / Penetration Testing | A testing method where testers actively attempt to circumvent or defeat a system's security features; ethical penetration testing is contractually constrained to stay within defined rules of engagement (RoE). |
| Examination | The process of reviewing, inspecting, observing, studying, or analyzing assessment objects to facilitate understanding, achieve clarification, or obtain evidence. |
| Finding(s) | Assessment results produced by applying an assessment procedure to a security control or control enhancement to achieve an assessment objective. |
| Interview(s) | An assessment technique of holding discussions with individuals or groups within an organization to facilitate understanding, achieve clarification, or obtain evidence. |
| Judgmental Sampling | Also called purposive or authoritative sampling: a nonprobability technique where sample members are chosen based on the researcher's knowledge and judgment. |
| Misuse Case Testing | A testing strategy from the viewpoint of an actor hostile to the system, using deliberately chosen action sets that could lead to integrity failures or security compromises. |
| Plan of Action and Milestones (POA&M) | A document identifying tasks needing to be accomplished, the resources required, milestones, and scheduled completion dates. |
| Rules of Engagement (RoE) | A set of rules, constraints, and conditions establishing limits on what participants may or may not do; in penetration testing they define scope and liability limitations. |
| Statistical Sampling | The process of selecting subsets of examples from a population to estimate properties of the total population. |
| Substantive Test | A testing technique used by auditors to obtain audit evidence supporting the auditor's opinion. |
| Testing | The process of exercising one or more assessment objects under specified conditions to compare actual with expected behavior. |
| Trust Services Criteria (TSC) | The criteria an auditor uses to evaluate the design and operating effectiveness of controls relevant to security, availability, processing integrity, confidentiality, or privacy (used in SOC 2 reports). |
| SOC 1 Report | A service organization report (SSAE 18 / ISAE 3402) addressing controls relevant to user entities' internal control over financial reporting. |
| SOC 2 Report | A report on a service organization's controls evaluated against the Trust Services Criteria; restricted-use, shared with the client organization and its auditors. |
| SOC 3 Report | A public, summary version of a SOC 2 report, freely distributable, without detailed test procedures or results. |
| Type I Report | A SOC report assessing the suitability of the design of controls at a specific point in time. |
| Type II Report | A SOC report assessing both the design and the operating effectiveness of controls over a period (typically 6-12 months); a SOC 2 Type II is sought for critical vendors. |
| Attestation | An independent auditor's statement on the reliability of a management assertion (e.g., control compliance), based on gathered evidence. |
| Vulnerability Scanning | The automated use of tools to identify known vulnerabilities in information systems; it can also detect insecure protocols such as FTP. |
| Vulnerability Assessment | An essential task in evaluating a system's security: identifying vulnerabilities then analyzing their impact given the organization's unique configuration. |
| Penetration Testing (Black / White / Grey Box) | Pen testing categorized by knowledge provided: black box (no information), white box (full information including code/architecture), grey box (partial knowledge). |
| Red Team | A group simulating a malicious attacker to identify vulnerabilities, exploit weaknesses, and assess the organization's security posture. |
| Blue Team | The defensive team responsible for detecting, countering, and responding to red team actions and hardening security controls. |
| Purple Team | A collaborative approach bridging red and blue teams to maximize feedback sharing and continuous improvement of defenses. |
| Social Engineering | A technique using psychological tactics to deceive users into disclosing confidential information or taking actions that compromise security. |
| Breach and Attack Simulation (BAS) | An automated platform that continuously replays realistic attack scenarios to validate the effectiveness of detection and prevention controls. |
| Static Application Security Testing (SAST) | Security analysis of source or binary code without executing it (white box), to find vulnerabilities early in the development lifecycle. |
| Dynamic Application Security Testing (DAST) | Security testing of a running application (black box), probing exposed interfaces to detect exploitable flaws. |
| Interactive Application Security Testing (IAST) | A hybrid test combining internal instrumentation (like SAST) with runtime execution (like DAST) for more accurate detection. |
| Fuzzing | A technique injecting malformed, random, or unexpected inputs to trigger failures and reveal vulnerabilities. |
| Code Review | Manual or assisted peer examination of source code to detect security, logic, or quality defects before deployment. |
| Test Coverage Analysis | Measurement of how much of the code or requirements is actually exercised by tests, identifying untested areas. |
| Regression Testing | Re-testing after a change to verify a fix or enhancement has not reintroduced defects or broken existing functionality. |
| Interface Testing | Testing the exchange points between components, systems, or APIs (network, application, physical interfaces) to validate correct operation. |
| Misuse Case | A negative use case describing how a hostile actor would abuse the system, used to derive security requirements and tests. |
| Synthetic Transactions | Scripted transactions replayed automatically against an application to proactively measure availability and performance. |
| Real User Monitoring (RUM) | Passive monitoring of real users' actual interactions with an application to measure performance and lived experience. |
| Log Review | Analysis of system, application, and security logs to detect anomalies, incidents, and compliance deviations. |
| Account Management Review | Periodic review of accounts and their privileges to confirm least privilege and detect orphaned accounts or excessive access. |
| Backup Verification | Verification that backups exist, are intact, and are restorable, typically through regular restore testing. |
| Management Review | A formal leadership review of assessment results, KPIs/KRIs, and ISMS effectiveness to guide decisions and resource allocation. |
| Key Performance Indicator (KPI) | A backward-looking indicator measuring achievement of performance objectives (e.g., percentage of vulnerabilities remediated on time). |
| Key Risk Indicator (KRI) | A forward-looking indicator signaling changes in risk exposure to anticipate breaches of risk appetite. |
| Internal Audit | An audit performed by internal staff; it requires sufficient skills and allocated time/resources but is less independent than an external audit. |
| External Audit | An audit chartered with an independent organization having no conflict of interest, covering risk, governance, or financial status. |
| Third-Party Audit | An audit strategy covering any third party affecting operations or handling sensitive data; it may rely on a vendor's SOC 2 Type II report. |
| Self-Assessment | An internal evaluation demanding organizational rigor and introspection; successful organizations follow a consistent methodology. |
| Security Control Testing | Evaluating a control through a combination of testing, examination, and interview (and possibly modeling and simulation) in a consistent, structured, and repeatable manner. |
| NIST SP 800-53A | NIST guide of assessment procedures for the security and privacy controls in SP 800-53, defining the test, examination, and interview methods. |
| ISO/IEC 27001 | An international certifiable standard specifying the requirements for an information security management system (ISMS). |
| ISO/IEC 27002 | A code of practice providing detailed implementation guidance for information security controls. |
| PCI DSS | The Payment Card Industry Data Security Standard for entities handling payment cards; it mandates regular vulnerability scans and penetration tests. |
| Common Vulnerabilities and Exposures (CVE) | A public catalog assigning a unique identifier to each publicly disclosed known vulnerability. |
| Common Vulnerability Scoring System (CVSS) | A standardized framework scoring vulnerability severity from 0 to 10 using base, temporal, and environmental metrics. |
| False Positive | An alert wrongly flagging a vulnerability or incident that does not exist, consuming triage resources. |
| False Negative | A failure to detect a real vulnerability or incident, the most dangerous case because the risk remains unseen. |
| Compensating Control | An alternative control reducing risk when the primary control is impractical (e.g., network segmentation to limit FTP usage). |
| Risk Assessment | An assessment identifying an organization's assets then measuring the likelihood and impact of risks that could affect them. |
| Modeling and Simulation | An assessment method combining modeling, simulation, and analysis of operational data to estimate a control's performance. |
Domain key takeaways
What you must remember
- Security assessment and testing evaluates control effectiveness and pinpoints vulnerabilities.
- It combines several techniques: vulnerability scanning, penetration testing, social engineering, code review.
- Vulnerability scanning automates the identification of known vulnerabilities.
- Penetration testing exploits vulnerabilities in a controlled environment to gauge controls.
- Social engineering tests the human factor (phishing, pretexting).
- Regular assessments ensure new vulnerabilities are found and controls stay effective.
- Results are used to strategically prioritise remediation and strengthen controls.
- Testing is a method of gathering information: it can serve an audit, an assessment, or stand alone.