Course — Domain 6 · 12% · 13 h

Security Assessment and Testing

Domain 6 answers a simple question: how do you know the security controls actually work? Many systems reach production with rushed testing, and much commercial software is built with too light a view of security. The result: organisations fail their audits, assessments and compliance reviews, or lose business for having built their processes on an insecure base.

This domain equips the security professional to design assessment strategies, run control testing (vulnerability assessment, penetration testing, code review, software testing), collect process data, analyse results and conduct or facilitate audits. It stresses three high-yield exam distinctions: assessment vs testing vs audit, SAST vs DAST, and SOC 1/2/3 with Type I vs Type II.

Learning outcomes

By the end of this course you will be able to

  • Distinguish assessment, testing and audit, and choose formal vs informal, internal vs external vs third-party.
  • Select frameworks and standards (NIST RMF, CSF, ISO 27000, SOC/SSAE 18, PCI DSS).
  • Run a vulnerability assessment and ethical penetration testing (RoE, box testing, red/blue/purple).
  • Pick the right software test technique: SAST/DAST, misuse case, negative, coverage, interface.
  • Collect process data: account management, KPI/KRI, backups, SETA, BC/DR tests.
  • Manage remediation, exceptions and ethical disclosure; read a SOC report.

Prerequisites : Domain 1 (risk management, due care/due diligence, governance), Domain 5 (IAM, accounts, AAA) and Domain 8 notions (SDLC) help. No advanced technical prerequisite.

Suggested path

Suggested path: 4 sessions of 3 to 4 hours over 2 to 3 weeks. Redo the checkpoints before moving on, then the full quiz (150+ Q) as a final review.

  1. Session 1 - Strategies and methods

    MODULE 1 · MODULE 2

    Assessment/audit/testing, SOC, methods, logs, sampling.

  2. Session 2 - Offensive and software testing

    MODULE 3 · MODULE 4

    Vulnerability assessment, pentest, SAST/DAST, coverage, interface.

  3. Session 3 - Process data

    MODULE 5 · MODULE 6

    Account management, KPI/KRI, backups, SETA, BC/DR tests.

  4. Session 4 - Analysis and audits

    MODULE 7 · MODULE 8

    Remediation, PDCA, ethical disclosure, internal/external/third-party audits, SOC.

Module 1 Objective 6.1 110 min Foundational

Assessment, test and audit strategies

Prerequisites : Risk and compliance notions from Domain 1.

Before testing anything, the organisation needs a formal strategy to evaluate its control environment. This module sets the vocabulary (assessment, audit, test, finding), the types (formal/informal), the perspectives (internal/external) and the standards that structure practice, including the SOC report family.

Learning objectives

  • Define and distinguish assessment, audit and testing.
  • Differentiate formal and informal, internal and external testing.
  • Identify assessment frameworks (RMF, CSF, ISO 27000, SOC).
  • Master SOC 1/2/3 and SOC for Cybersecurity, Type I vs Type II, TSC.

Success criteria

  • I can say why an audit needs more independence than an assessment.
  • I match the right SOC report and Type to a client need.
  • I list the 5 elements of a finding.

1.1 Assessment, audit, testing: three words, three realities

Three cards comparing assessment, testing and audit by scope and formality
Figure 1.1 · Assessment (broad, management), testing (execution), audit (formal, independent).

Assessment vocabulary is confusing because different professions use close terms. Three notions must be crisp.

An assessment is a broad evaluation of controls against management expectations. Its scope, schedule and reporting are set by management; it often precedes an audit to spot and fix weaknesses.

An audit is a structured review of information, observations and data to measure compliance with a defined standard. The evidence examined is called artifacts (log, policy, interview result). A formal audit requires independent evaluators, outside the management chain responsible for the system: this independence ensures no undue influence skews judgment.

Testing compares the actual behaviour of a system, process or activity, under defined conditions, with its expected behaviour. Testing is a building block that can serve an assessment or an audit, but can also stand alone as security monitoring. Key point: expected performance must be defined BEFORE testing, otherwise you cannot conclude.

Finally, an evaluation is formal (against a legal, regulatory or contractual standard, by independents) or informal (to gather observations and insight, not directly for compliance). Informal often gives management a preview of what a formal audit would reveal.

Key terms Assessment Audit Testing Artifact Formal vs informal
Key points
  • Assessment = broad, management-driven; Audit = formal vs a standard, independent; Testing = execution, reusable block.
  • Independence is the central requirement of a credible audit.
  • Define the expected before testing, otherwise no conclusion is possible.
  • Formal = compliance vs a standard; informal = observations with no direct aim.

1.2 Anatomy of a finding and testing perspectives

Diagram of the five elements of a finding around a central core
Figure 1.2 · The five components of an audit finding.

An audit result is delivered as findings, compiled into a report given to the chartering organisation. A typical finding has five elements: Condition (what the audit observed), Criteria (the measuring standard), Cause (why the gap exists), Effect (the gap and its significance) and Recommendation (the corrective action). A finding's accuracy depends on artifact integrity: they must reflect the true state of the control against its objective.

Testing follows an internal or external perspective. Internal testing assumes the identity of a trusted insider or an attacker who has already crossed the perimeter (see NIST SP 800-115); it covers application configuration, authentication, access control and hardening, and may include privilege escalation. Insider threats remain a major source of compromise. External testing takes the view of an untrusted individual outside the perimeter, to find weaknesses exploitable from outside.

Practical rule: if both external AND internal are planned, run external first, because the information available to internal testing is generally richer. The internal/external distinction blurs with zero trust and deperimeterization, which apply controls based only on the privileges needed for a task.

Key terms Finding Internal testing External testing Zero trust
Key points
  • Finding = Condition + Criteria + Cause + Effect + Recommendation.
  • Internal test = insider; external test = untrusted outsider.
  • If both: external first (internal has more info available).
  • Zero trust and deperimeterization blur the internal/external line.

1.3 Assessment standards and frameworks

Map of compliance standards by sector with cross-cutting frameworks
Figure 1.3 · Sector standards and cross-cutting assessment frameworks.

Standards and frameworks form a virtuous circle with laws and market expectations: all incentivise good practice. Several anchors structure security evaluation.

NIST Risk Management Framework (RMF, SP 800-37 Rev. 2) is the reference for US federal agencies and many of their contractors. Two useful companions: SP 800-53 Rev. 5 (security and privacy controls) and SP 800-171 (protecting controlled unclassified information at non-federal entities).

NIST Cybersecurity Framework (CSF) offers a voluntary, risk-driven maturity model, simpler and incremental; it emphasises detecting an incident. ISO 27000 serves as an audit framework to evaluate an ISMS and is widely adopted outside the United States.

Finally, the AICPA control-evaluation framework, known through its SOC reports, evaluates an organisation against the Trust Services Criteria. Beyond that, many organisations fall under several sector frameworks at once: PCI DSS (cards), IEC 62443 (industrial control), Cyber Essentials (UK), NERC CIP (US critical infrastructure), CSA STAR (cloud), SWIFT CSCF (finance). The UK NCSC also proposes 12 supply chain security principles (understand the risks, establish control, check, continuous improvement).

Key terms NIST RMF NIST CSF ISO 27000 PCI DSS CSA STAR
Key points
  • RMF (800-37) + 800-53 (controls) + 800-171 (non-federal CUI).
  • CSF = voluntary, maturity, detection emphasis.
  • ISO 27000 = ISMS audit, strong outside the US.
  • Sector: PCI DSS, IEC 62443, NERC CIP, CSA STAR, SWIFT, Cyber Essentials.
  • NCSC: 12 supply chain security principles.

1.4 SOC reports: 1, 2, 3 and Cybersecurity

Table of SOC 1/2/3 and SOC for Cybersecurity reports with Type I and Type II
Figure 1.4 · Which SOC report, which type, for which need.

The SOC (Service Organization Control) framework, defined by SSAE 18 (partly updated by SSAE 20), lets a provider attest to its controls for its clients. Four reports, not to be confused.

SOC 1 attests to internal controls over financial reporting (ICFR). It cannot cover disaster recovery or privacy.

SOC 2 (also called the Trust Services Criteria report) evaluates security controls against five criteria: Security, Availability, Processing Integrity, Confidentiality, Privacy (memo CIANA+P). It is confidential and may cover only a subset of the criteria depending on the provider's needs.

SOC 3 gives a public, less technical summary of a SOC 2: a releasable showcase, often on the provider's website.

SOC for Cybersecurity specifically targets the cybersecurity programme (plans, processes, services) based on the 2017 TSC.

Two types apply to SOC 1 and SOC 2. Type I evaluates the design (suitability of design) of controls at a point in time: an expression of due care. Type II additionally evaluates the operating effectiveness of controls over a period (usually 6 to 12 months): the expression of due diligence. SOC 2 Type II is generally preferred, and it is the report to request from a third-party provider integral to operations. SOC 3 and SOC for Cybersecurity are single-type.

Key terms SOC 1 SOC 2 SOC 3 Type I Type II SSAE 18
Key points
  • SOC 1 = finance (ICFR); SOC 2 = security (TSC, confidential); SOC 3 = public summary.
  • SOC 1 covers neither DR nor privacy.
  • Type I = design (point in time, due care); Type II = effectiveness (period, due diligence).
  • For a critical third party: request a SOC 2 Type II.
  • TSC = Security, Availability, Processing Integrity, Confidentiality, Privacy.

1.5 Trust Services Criteria and attestation standards

The five Trust Services Criteria with Security as the common criterion
Figure 1.5 · The five SOC 2 TSC (memo CIANA+P).

The Trust Services Criteria (TSC) are the criteria an auditor uses to evaluate the suitability of design and operating effectiveness of controls relevant to security, availability, processing integrity, confidentiality and privacy. Developed by AICPA and CICA, they were realigned in 2017 with the 17 principles of the COSO framework. Security is the mandatory common criterion; the others are added per the provider's needs.

On attestation standards, AICPA issues the SSAEs, compliance standards that certified auditors apply when an organisation engages them to attest to its controls. The old SAS 70 (Type I and Type II) was replaced by SSAE 16 then SSAE 18, drawing on the international ISAE 3402. An SSAE 18 / ISAE 3402 report typically has five sections: the auditor's opinion, the organisation's written attestation, the description of controls and objectives, the tests of operating effectiveness, and additional information.

Lesson of SAS 70: it was designed for ICFR, but many repurposed it for security, availability and privacy needs. SOC reports now clarify usage. Finally, evidence collection (field work) can happen on site or remotely, on on-premises, cloud or hybrid assets; the cloud shared responsibility model helps determine who owns which control.

Key terms Trust Services Criteria SSAE 18 ISAE 3402 COSO Attestation
Key points
  • TSC aligned with the 17 COSO principles (2017); Security is mandatory.
  • SAS 70 -> SSAE 16 -> SSAE 18; ISAE 3402 = international counterpart.
  • An SSAE 18 report has 5 sections (opinion, assertion, controls, tests, extras).
  • SAS 70 misused: designed for ICFR, wrongly used for security.
  • Cloud: the shared responsibility model sets who owns each control.

Case studies

Case · Profile discussion (Bank UYT)

Internal, external and third-party: how to prioritise?

Context : At Bank UYT, the CISO asks Prakash to spell out the considerations for designing internal testing, external testing and third-party assessor engagement strategies, given a range of financial services.

Question : How should each assessment type be prioritised by the criticality of different systems and services? (6.1.1-3)

Topics covered Risk-driven assessment strategyInternal vs external vs third-partyIndependence and audit credibilityChoosing the SOC report for a provider
Show analysis and answer

Prioritisation follows risk. The most critical systems (payments, regulated customer data) warrant the highest assurance: external testing first (attacker view), then internal testing (insider view, richer in information), and an independent third-party report (e.g. SOC 2 Type II) for providers integral to operations. Less sensitive systems can rely on more frequent, less formal internal assessments. Independence grows with criticality and compliance stakes: a credible audit needs evaluators outside the system's management chain.

Takeaway : Prioritise by risk; reserve maximum independence (third party, SOC 2 Type II) for the most critical systems and providers.

Key learning points
  • External first, then internal (internal has more info).
  • The more critical the system, the stronger the independence required.
  • SOC 2 Type II = evidence of a third party's control effectiveness.
Case · Activity (Bank UYT)

Which standards for a bank?

Context : The CISO asks Prakash to review updates to applicable frameworks to inform Bank UYT's internal and external testing strategies.

Question : Name at least two relevant assessment standards or frameworks and how to implement them given the bank's services. (6.1.1-4)

Show analysis and answer

A bank typically falls under several frameworks: PCI DSS for payment cards (annual audit, cardholder data scope), SOC 2 to reassure clients and partners on security controls, NIST RMF or CSF to structure maturity, ISO 27000 for the ISMS. Add ISAE 3000 (international audit) and the SWIFT Customer Security Controls Framework for international transactions. Implementation means mapping obligations, scheduling audits in a compliance calendar, and selecting the framework that fits the business process, without mistaking it for a mere checklist.

Takeaway : An organisation under several frameworks schedules audits in a compliance calendar; a framework aids analysis, it is not a magic checklist.

Exam pitfall

Assessment vs audit: formality

The primary difference is the degree of formality. The assessment is a broader, less formal evaluation (measures risk likelihood, process quality). The audit is a structured, formal process, systematically analysing an object vs predefined criteria. Both can target the same assets.

Exam pitfall

SOC 1 vs SOC 2 vs SOC 3

SOC 1 = financial reporting (ICFR). SOC 2 = security controls via the Trust Services Criteria, confidential. SOC 3 = public summary of a SOC 2. Classic trap: tying SOC 2 to finance. And SOC 1 cannot cover disaster recovery or privacy.

Exam pitfall

Type I vs Type II

Type I = control design at a point in time (suitability of design), an expression of due care. Type II = operating effectiveness over a period (often 6 to 12 months), the expression of due diligence. To evaluate a provider over time, require a Type II.

Checkpoint — Knowledge check

  1. What is the primary distinction between an assessment and an audit?

    • A The level of formality involved in the process
    • B The assets targeted for evaluation
    • C The likelihood of a specific risk
    • D The quality of process documentation
    Answer & rationale

    Answer : A — The level of formality involved in the process

    Assessment and audit are close, but the audit is more structured and formal (systematic analysis vs criteria). Both can target the same assets and evaluate risk likelihood or documentation quality.

  2. A cloud provider integral to your operations must prove the effectiveness of its security controls over time. Which report do you request?

    • A SOC 2 Type II
    • B SOC 1 Type I
    • C SOC 3
    • D SOC 1 Type II
    Answer & rationale

    Answer : A — SOC 2 Type II

    SOC 2 targets security controls (TSC); Type II evaluates operating effectiveness over a period. SOC 1 concerns financial reporting (ICFR). SOC 3 is only a public summary.

Key takeaways

  • Assessment (broad, management), audit (formal, independent), testing (execution).
  • Finding = Condition, Criteria, Cause, Effect, Recommendation.
  • External before internal; zero trust blurs the line.
  • SOC 1 finance, SOC 2 security (confidential), SOC 3 public; Type I design, Type II effectiveness.
Module 2 Objective 6.2 95 min Foundational

Methods and artifacts: examination, interview, logs, sampling

Prerequisites : Module 1 (assessment, audit, testing).

Evaluating a control rests on three complementary methods: testing, examination and interview. This module details how to scope an evaluation (assessment policy, tailoring, sampling), then focuses on two central tools: log review and the compliance test vs substantive test distinction.

Learning objectives

  • Choose between testing, examination and interview to evaluate a control.
  • Scope an evaluation: assessment policy, tailoring, sampling.
  • Run a log review compliant with frameworks.
  • Distinguish compliance test and substantive test.

Success criteria

  • I map each method (testing/examination/interview) to a use.
  • I tell statistical sampling from judgmental sampling.
  • I label a test as compliance or substantive.

2.1 Three methods: testing, examination, interview

Diagram of assessment tailoring leading to examination, interview, test activities
Figure 2.1 · Tailoring points to the right assessment methods.

Evaluating a control is done by any combination of testing, examination and interview; modelling, simulation and analysis may be added. Each method measures a system's compliance with its requirements and specifications. Proper method selection drives the level of assurance.

Examination means reviewing, inspecting, observing or analysing an assessment object (specifications, mechanisms, activities). An administrative control like a policy is checked by reading the document; a business process is observed (running backups, wearing a badge). Examination does not require the assessor to direct the operation or interact with stakeholders. Reviewing real performance documentation (access registers, transactions, logs) is one of the most valuable tools.

Interview identifies the frequent gap between the documented process and actual practice. Interview subjects are defined during chartering and named in the pre-audit checklist; depth and breadth must be clarified. Interview documentation (questionnaires, recordings with consent, notes) must be secured per its classification.

Testing compares actual behaviour to expected behaviour under defined conditions. Once confined to development, it now serves throughout a system's operational life. A complete control may require several methods: a mere examination is not always enough, and additional tests or interviews may be needed. The organisation must establish the assessor's need to know, without granting unlimited out-of-scope access.

Key terms Examination Interview Testing Need to know
Key points
  • Three combinable methods: testing, examination, interview.
  • Examination = read/observe without directing; interview = close the doc vs practice gap.
  • A complete control may need several methods.
  • Establish the assessor's need to know (no unlimited access).

2.2 Scoping and sampling the evaluation

Initial build, context update and targeted assessment activities
Figure 2.2 · Scoping an assessment: refresh context before targeting.

Assessment activities are planned by the security assessment policy, which sets the rules for planning, conduct and reporting. Management provides high-level direction: identify how the context has changed since the last assessment, along three key elements - the threat landscape, business logic and compliance regime. This yields a focused, down-selected set of assessments to run (tailoring).

The assessment is then tailored to the control assessed, by its type, intended depth and the specifics of the compliance requirement. Since you can rarely examine everything, you rely on a sample. Statistical sampling uses the laws of probability to infer a control's performance over the whole population. Judgmental sampling (also purposive or authoritative) relies on the assessor's expertise to choose systems or events, prioritising those that present the greatest risk.

The organisation cannot ignore its confidentiality, integrity and availability obligations during the assessment: convenient as unlimited assessor access may be, that privilege may exceed scope.

Key terms Assessment policy Tailoring Statistical sampling Judgmental sampling
Key points
  • Tailoring refreshes threat landscape, business logic, compliance.
  • Statistical = probability; judgmental = judgment, prioritises risk.
  • We sample because we cannot examine everything.
  • Respect CIA and scope during the assessment.

2.3 Log reviews

Incident response cycle fed by log review
Figure 2.3 · Logs feed audit, incident detection and forensic analysis.

All major frameworks stress logging practice. ISO 27001:2013 control 12.4.1 requires event logs (user activities, exceptions, faults, security events) to be produced, kept and regularly reviewed. NIST SP 800-92 (Guide to Computer Security Log Management) treats log review as a component of log management. Review serves not only security assessment, but also the identification of incidents, policy violations, fraud and operational problems near the time of occurrence. Reviewing historic audit logs can determine whether an identified vulnerability has already been exploited.

Several regulations mandate diligent reviews: GLBA (protecting financial institutions' customer data), HIPAA (regular audit log reviews, 6-year retention), SOX (regular log review to spot violations), PCI DSS (track all access to network resources and cardholder data).

Log management follows four key practices: prioritise log management across the organisation; establish policies and procedures; create and maintain a secure log management infrastructure (a SIEM helps with storage and analysis, able to absorb peaks during an incident, pentest or scan); provide adequate support (training, tools) to staff. Log security (ISO 12.4.2) protects against tampering and unauthorised access; logs can contain sensitive data (passwords, email content) and must be protected for confidentiality and integrity, with compliant retention. Rootkits often aim to alter logs to erase their traces.

Key terms NIST SP 800-92 ISO 27001 12.4.1 SIEM Retention
Key points
  • GLBA, HIPAA, SOX, PCI DSS all mandate log reviews (they all do).
  • NIST SP 800-92 = log management reference; ISO 12.4.1 / 12.4.2.
  • A SIEM absorbs peaks (incident, pentest, scan).
  • Secure logs: tampering, access, retention; rootkits target them.

2.4 Compliance test vs substantive test

Comparison of control test types
Figure 2.4 · Compliance test (existence) vs substantive test (operation).

Tests fall into two families. The compliance test determines, in the assessor's opinion, whether the control exists and operates correctly. Example: compare a sample of employees entitled to access a system with the list of named users; the expected result is that the two lists match.

The substantive test evaluates the proper operation of the process itself. In the same example, the tester performs an onboarding to grant access to a new user, attempts an authorised transaction with those credentials, then offboards the identity; they then review the logs to verify all transactions executed and were tracked correctly. The substantive test gives a higher degree of assurance that the process behaves as expected, but takes more time and resources.

Distinguish this from compliance testing in the broad sense (also called conformity testing), which validates that a system has been designed and configured to meet the organisation's security requirements: that is the right answer when the question is about validating against defined standards. Note finally: the substantive test is also the technique by which an auditor obtains evidence to support their opinion.

Key terms Compliance test Substantive test Conformity testing
Key points
  • Compliance test = control existence/operation (compare 2 lists).
  • Substantive test = proper process operation (onboarding -> transaction -> offboarding -> logs).
  • Substantive = more assurance but more costly.
  • Compliance/conformity testing validates against the organisation's standards.

Case studies

Case · Teaching scenario

Which method for which control?

Context : An assessor must evaluate three controls at Bank UYT: (a) the password policy, (b) actual adherence to the account revocation procedure when an employee leaves, (c) the presence of a technical control restricting access to a critical system to business hours.

Question : For each control, which method (examination, interview, testing) fits best, and why?

Topics covered Assessment method selectionCompliance vs substantive testLogs as artifacts
Show analysis and answer

(a) Password policy: examination - just read the document and check the system configuration. (b) Revocation adherence: interview (to understand actual practice vs the documented procedure) plus a substantive test (run an offboarding and check the logs). (c) Time control: testing - attempt an out-of-hours access and verify the denial, relying on logs as artifacts (positive and negative evidence). A complete control often combines several methods.

Takeaway : Administrative -> examination; practice/doc gap -> interview; technical behaviour -> testing. Logs serve as positive and negative evidence.

Key learning points
  • Pick the method by the nature of the control.
  • A substantive test proves operation, not just existence.
  • Logs provide positive AND negative evidence.
Exam pitfall

All frameworks require log review

NIST SP 800-92, GLBA and SOX (like HIPAA, PCI DSS) all stress log management and review. To the trick question asking which one does NOT require it, the answer is: they all do. Knowing what is happening and what has happened enables action (offense informs defense, a CIS tenet).

Exam pitfall

Statistical vs judgmental sampling

Statistical sampling infers a control's performance via probability over the whole population. Judgmental (purposive/authoritative) sampling rests on the assessor's judgment, prioritising the riskiest items. Don't confuse the basis (probability) with the criterion (judgment).

Checkpoint — Knowledge check

  1. All major frameworks stress logging. Which of the following does NOT require log management and review?

    • A NIST SP 800-92
    • B Gramm-Leach-Bliley Act (GLBA)
    • C Sarbanes-Oxley Act (SOX)
    • D They all do
    Answer & rationale

    Answer : D — They all do

    NIST SP 800-92, GLBA and SOX all stress effective and timely log management and review (offense informs defense, CIS). None is exempt.

  2. A tester creates an account, uses it for an authorised transaction, deletes it, then checks the logs. What test type is this?

    • A Substantive test
    • B Compliance test
    • C Misuse case test
    • D Synthetic transaction
    Answer & rationale

    Answer : A — Substantive test

    Testing the end-to-end proper operation of the process is a substantive test (more assurance, more resources). A compliance test would merely compare two lists to verify the control's existence.

Key takeaways

  • Three methods: testing, examination, interview, often combined.
  • Tailoring = refresh threat landscape, business logic, compliance.
  • Statistical (probability) vs judgmental (judgment, risk) sampling.
  • Compliance test = existence; substantive test = operation.
  • All frameworks require log review; secure and retain.
Module 3 Objective 6.2 120 min Intermediate

Vulnerability assessment and penetration testing

Prerequisites : Modules 1-2; threat and vulnerability notions (Domain 1).

This module covers the two pillars of offensive testing: vulnerability assessment, which identifies known weaknesses, and ethical penetration testing, which attempts to exploit them within a strict legal frame. It addresses CVSS, rules of engagement, box testing, red/blue/purple teams, the five-phase methodology and continuous testing approaches (BAS, chaos engineering).

Learning objectives

  • Run a vulnerability assessment and interpret a CVSS score.
  • Scope ethical penetration testing (RoE, scope, blind/double-blind).
  • Distinguish black, gray and white box; red, blue and purple team.
  • Differentiate ethical penetration testing from ethical hacking.
  • Place continuous testing approaches (BAS, MITRE ATT&CK, chaos engineering).

Success criteria

  • I classify a CVSS score and derive a remediation priority.
  • I list the five phases of a pentest and the role of RoE.
  • I pick the box testing suited to an objective.

3.1 Vulnerability assessment and CVSS

CVSS severity scale from None to Critical
Figure 3.1 · CVSS: technical severity; EPSS adds exploitation probability.

Vulnerability assessment is an essential task in evaluating a system's security. A vulnerability is a weakness that, if exploited, could compromise the confidentiality, integrity or availability of an asset. Caution: the existence of a weakness does not mean it is exploitable by a threat. A vulnerability is not an exploit.

Vulnerability scanners automate the identification of known vulnerabilities in configurations, settings and software. They can be authenticated (with credentials, a more precise inside view) or unauthenticated (an external attacker's view). They also detect the use of insecure protocols like FTP - even if compensating controls (network segmentation, usage restriction) can mitigate the risk. Evaluating identified vulnerabilities means analysing their impact given the organisation's unique configurations and circumstances, and handling false positives (erroneous alerts).

To prioritise, use CVSS (Common Vulnerability Scoring System), which scores technical severity from 0 to 10: None (0), Low (0.1-3.9), Medium (4.0-6.9), High (7.0-8.9), Critical (9.0-10). CVSS measures intrinsic severity; it pairs usefully with EPSS, which estimates the probability of exploitation. Typical SLA prioritisation reserves the shortest deadlines for Critical and High vulnerabilities.

Key terms Vulnerability Authenticated scan CVSS EPSS False positive
Key points
  • A vulnerability is not an exploit (weakness vs real exploitability).
  • Authenticated scanner (inside view) vs unauthenticated (attacker view).
  • CVSS: None/Low/Medium/High/Critical, technical severity 0-10.
  • CVSS (severity) + EPSS (probability) = better prioritisation.
  • Handle false positives and compensating controls.

3.2 Ethical penetration testing: RoE and scope

The five phases of a pentest and the knowledge levels
Figure 3.2 · Penetration testing: methodology, box testing and team colours.

Penetration testing simulates a threat actor's actions using information the actor would have. It is a controlled process, governed by Rules of Engagement (RoE) detailing the circumstances of the attempt. Useful to determine whether controls are effective, it poses significant risk if poorly conducted. RoE define scope, methods, constraints, the individuals authorising the test, incident reporting procedures and liability limits.

Key legal point: without a signed contract, the tester faces criminal and civil charges in many jurisdictions, and can be held liable for disruptions caused. Hence the term ethical penetration testing: the test is tied to a contractual, legal and ethical basis. Sophisticated attackers use the same techniques, but their intent makes their activity unethical and probably illegal. The code of ethics requires the tester not to disclose their activities and findings without the sponsor's written consent, on top of contractual NDAs.

Scope depends on objectives. PCI DSS, for instance, may require covering the cardholder data environment and demand both network AND application testing. Other scenarios include a wireless component, social engineering or physical intrusion. The test may be blind (the tester is blind to technical details) or double-blind (the defending team - the blue team - is also not warned), which exercises detection and response but requires deconfliction if the defenders discover the test.

Key terms Rules of Engagement Ethical penetration testing Blind / double-blind Scope Deconfliction
Key points
  • RoE define scope, authorisation, reporting, liability.
  • Without a signed contract: criminal and civil risk for the tester.
  • Ethical = contractual/legal/ethical basis; same techniques as the attacker.
  • Blind = tester blind; double-blind = blue team not warned.
  • Scope follows objectives (network, app, wireless, social, physical).

3.3 Box testing and the five-phase methodology

Black box, gray box and white box by tester knowledge
Figure 3.3 · Box testing varies with the knowledge granted to the tester.

The level of knowledge granted to the tester defines the box testing type. White-box (or crystal-box) gives full knowledge of the system (IP addresses, versions): maximum coverage, mimics an insider threat, fastest and often cheapest, but controls that hide information from outsiders (like NAT) are not assessed. Black-box grants no knowledge: the tester runs reconnaissance, which confirms controls meant to conceal information, at the risk of missing assets. Gray-box blends the two: partial information, the tester discovers the rest. Reminder: a real attacker is not constrained by time or billing, unlike the tester whose contract lasts a few weeks.

The methodology follows five phases. 1) Chartering: drafting RoE, formal risk assessment, integration into the contract if third party. 2) Discovery: reconnaissance to map the environment (sometimes unnecessary if the RoE already define the systems). 3) Scanning: identifying and fingerprinting weaknesses to craft exploits. 4) Exploitation: delivering the exploit and documenting; when withdrawing, the tester ensures they do not increase the risk of exploitation by a malicious actor. 5) Reporting: compiling activities, executive summary, recommendations, returning all material (including credentials obtained). There is no single standard: the exact sequence must be documented in the RoE.

Key terms White / crystal box Black box Gray box Chartering Exploitation
Key points
  • White box = full knowledge (fast, NAT not tested); black box = blind; gray box = hybrid.
  • 5 phases: Chartering, Discovery, Scanning, Exploitation, Reporting.
  • The attacker has no time constraint; the tester does.
  • Return all material, including credentials obtained.
  • No single standard: document the sequence in the RoE.

3.4 Red, blue, purple team and ethical hacking

Red, blue and purple teams and their roles
Figure 3.4 · Red attacks, blue defends, purple makes both collaborate.

Depending on objectives (e.g. response readiness), several teams take part. The red team simulates a malicious attacker to assess security posture: its goal is to identify vulnerabilities, exploit weaknesses and gauge the effectiveness of existing measures. The blue team represents the defenders (internal security team): it monitors, detects and responds to the simulated attacks, evaluating defensive strategies, incident response capabilities and resilience. The purple team combines both: it fosters collaboration and knowledge sharing between attackers and defenders, to close defensive gaps and recommend improvements.

Ethical penetration testing should not be confused with ethical hacking, which gathers the efforts of amateur or professional researchers to probe and detect vulnerabilities. Bug bounty programs encourage these informal attempts: hacking is ethical there as long as the researcher respects the program's terms and does not disclose results to third parties. Google Project Zero is an emblematic example. The legal context matters: in the US, DMCA section 1201 makes circumventing digital protections an offence, limiting independent evaluation of cryptographic protections.

Key terms Red team Blue team Purple team Bug bounty DMCA 1201
Key points
  • Red = attack; blue = defence; purple = collaboration of both.
  • Ethical hacking (bug bounty, Project Zero) != ethical penetration testing.
  • Hacking stays ethical if it respects terms and does not disclose.
  • DMCA 1201 limits independent evaluation of protections.

3.5 Continuous testing: BAS, ATT&CK, chaos engineering

Attack chain emulated by continuous testing and BAS
Figure 3.5 · BAS and ATT&CK emulate the attack chain continuously.

A penetration test is a point-in-time activity: it reflects one set of tests at a moment, while the environment and threats evolve fast. Several continuous testing approaches complement the frameworks that expect continuous monitoring.

MITRE ATT&CK, a knowledge base of adversary tactics and techniques, helps test resilience by emulating attacker behaviour. Breach and attack simulation (BAS) tools automate these tests to run continuously against the infrastructure; coupled with threat intelligence and integrated with change management, they offer a different level of assurance than traditional pentesting. BAS combines vulnerability scanning and automated penetration testing, with a constantly updated attack database. It enables more frequent testing than quarterly scans or annual pentests: if a simulated attack is blocked, controls work; if it succeeds, it signals a deficient control or a new risk.

Chaos engineering forces production systems to fail to evaluate detection, response and recovery capabilities. Its no-notice tests heavily stress people and systems: teams are not warned and treat the outage as a real attack. Handle with care: many systems are not engineered to withstand a production shutdown without cost, and the approach does not simulate a true attacker (disruptions are scripted by insiders).

Key terms MITRE ATT&CK Breach and Attack Simulation Chaos engineering Point-in-time
Key points
  • The pentest is point-in-time; continuous testing fills the gap.
  • BAS = scan + automated pentest, continuous, updated attack database.
  • MITRE ATT&CK emulates adversary behaviour.
  • Chaos engineering = no-notice, stresses systems, does not simulate a true attacker.

Case studies

Case · Case study: Coalfire vs Iowa

When a physical pentest goes wrong

Context : Coalfire, engaged by the State of Iowa, runs physical pentests on municipal buildings. After two courthouses tested successfully, two employees are arrested at the Dallas County courthouse in September 2019, charged with burglary. A contract existed at state level but had not been communicated to the individual counties. All charges are eventually dropped in January 2020.

Question : What type of pentest was being run? From the company's view, where did it go wrong, and what should have been done? (6.2.2)

Topics covered RoE and legal authorisationPhysical pentest and social engineeringCommunication and contingency
Show analysis and answer

It is a physical pentest with a social engineering component. The company's mistake: failing to communicate the test to all relevant authorities - the contract existed at state level but not at county level. The absence of incidents in prior tests may have been luck or prior notice to other counties. Testers should have known that some alarms are silent and others audible; once the alarm tripped, they should have stayed outside, waited for police and presented their letter of authority, rather than entering. Central lesson: clear communication and contingency processes are essential to any pentest. Without a properly disseminated contract, the tester faces criminal exposure.

Takeaway : A pentest, especially physical, needs RoE disseminated to all parties and a contingency plan; without that, even a valid contract does not prevent arrest.

Key learning points
  • Disseminate RoE to ALL relevant authorities.
  • On alarm, stop and present authorisation, do not enter.
  • An existing contract is not enough if not communicated.
Case · Applied Scenario: Waxbill UAV (Part 1)

Choosing the right pentest for MLZ Systems

Context : Lee, from Swinkler Security, reports to MLZ Systems that he could freely access several sensitive sites without showing ID, photograph documents and find unlocked workstations. He recommends a formal, structured penetration test of all MLZ and partner sites.

Question : What did Lee do? Which pentest is appropriate (internal/external), which box, is social engineering required, and who receives the report? (6.1.1-4, 6.2.2)

Topics covered Internal vs external vs bothBox testing and social engineeringRoE content and report recipients
Show analysis and answer

Lee ran an informal security reconnaissance (not a formal, scheduled or fully ethical pentest), but useful to know. The appropriate pentest is both internal AND external, because the findings may reveal a larger, still-invisible problem. The best approach is white-box: fastest, cheapest and most complete here. Social engineering is required, since it was a security failure at Lee's point of entry that triggered the need. RoE must include type and scope, client contacts, a communication plan, timelines, meetings and reports - but NOT the list of tools or the testers' identities. The report goes to senior staff and security at MLZ and its partners, not the public or customers; excerpts may appear in a SOC 2 report on request.

Takeaway : Informal reconnaissance != formal pentest; here internal+external, white-box, social engineering included; RoE exclude tools and tester identities; the report stays confidential.

Key learning points
  • RoE do not include tools or tester identities.
  • A pentest report is confidential (not public, not for customers).
  • White-box = fastest and most complete when you want the best result.
Exam pitfall

A vulnerability is not an exploit

The existence of a weakness does not guarantee a threat can exploit it effectively. Vulnerability assessment identifies weaknesses; penetration testing attempts to exploit them. The scanner flags, the pentest proves exploitability.

Exam pitfall

Ethical hacking vs ethical penetration testing

Ethical penetration testing is contractually legal, governed by RoE. Ethical hacking (bug bounty, Project Zero) is more informal: it stays ethical as long as the researcher respects the terms and does not disclose. Don't confuse the pentest's strict contractual frame with vulnerability research.

Exam pitfall

White-box does not test NAT

White-box gives the tester everything: maximum coverage and insider simulation, but controls meant to hide information from outsiders (like NAT) are not assessed. Black-box, by contrast, confirms these concealment controls, at the risk of missing assets.

Checkpoint — Knowledge check

  1. What is the primary goal of a red team exercise in penetration testing?

    • A Simulate a threat actor's actions and identify vulnerabilities
    • B Monitor and respond to simulated attacks
    • C Collaborate with defenders for overall security enhancement
    • D Conduct a controlled process with clearly defined RoE
    Answer & rationale

    Answer : A — Simulate a threat actor's actions and identify vulnerabilities

    The red team simulates a malicious attacker to identify vulnerabilities, exploit weaknesses and gauge controls. Monitoring/responding = blue team; collaborating = purple team; the RoE-controlled process is a general pentest trait, not the red team's specific goal.

  2. A vulnerability receives a CVSS score of 9.4. What interpretation and priority?

    • A Critical: top remediation priority, shortest deadline
    • B Medium: handle within 90 days
    • C Low: negligible risk
    • D CVSS measures exploitation probability, not severity
    Answer & rationale

    Answer : A — Critical: top remediation priority, shortest deadline

    9.0-10 = Critical on the CVSS scale: maximum technical severity, top remediation priority. CVSS measures severity; EPSS estimates exploitation probability.

Key takeaways

  • Vulnerability assessment identifies; pentest exploits. A vuln is not an exploit.
  • CVSS scores severity (0-10); EPSS adds probability.
  • RoE essential; without a signed contract, criminal risk.
  • White/gray/black box by knowledge; red/blue/purple by role.
  • Continuous testing: BAS, MITRE ATT&CK, chaos engineering complement the pentest.
Module 4 Objective 6.2 120 min Intermediate

Code review and software testing

Prerequisites : Modules 1-3; SDLC notions (Domain 8).

Code is the foundation of information systems: its review and testing are a crucial security control. This module covers code review (SAST, DAST, manual review), security-oriented tests (misuse case, negative testing), coverage measurement, interface testing, and monitoring techniques (synthetic transactions vs RUM).

Learning objectives

  • Distinguish SAST, DAST and IAST, and manual review.
  • Differentiate misuse case testing from negative testing.
  • Interpret test coverage (statement, branch, path...).
  • Run interface testing (UI, API).
  • Distinguish synthetic transactions from RUM.

Success criteria

  • I place SAST vs DAST in the SDLC.
  • I pick the right software test type from a symptom.
  • I explain why 100% coverage is rarely reached.

4.1 Code review: objectives and SAST / DAST

Comparison of SAST, DAST and IAST in the development cycle
Figure 4.1 · SAST analyses code at rest, DAST the running app, IAST combines both.

Code review, more precisely source code analysis and review, aims to verify six things: all required functions exist; no foreign code is present; no dead or unreachable code remains; no backdoors or trapdoors; coding standards are met; all code is of trustworthy provenance. These objectives are not for development only: they assume rigorous configuration management, without which dead code can be reactivated and made exploitable by a small change elsewhere.

Testing can be manual (code peer review: a developer reviews a peer's work) or automated. Two families dominate. SAST (static application security testing) analyses code AT REST, without executing it: it models execution to detect buffer overflow, inconsistent data conditions, misuse of templates, outdated libraries, misconfigurations. It is a white-box approach, ideal for shift-left. DAST (dynamic analysis) tests the program WHILE RUNNING to observe actual behaviour: a black-box approach. A variant exists on compiled binaries (static binary analysis), less precise than on source.

The shift-left philosophy (Agile, DevOps, DevSecOps) moves security tasks to the left of the project timeline: architecture review and threat modeling (prerequisites to testing, not testing) upstream, then SAST during development. ISO 27002 14.2.1 prescribes secure development rules and training in secure coding standards.

Key terms SAST DAST Code peer review Shift-left Threat modeling
Key points
  • 6 objectives: required functions, no foreign/dead/backdoor code, standards, provenance.
  • SAST = code at rest (white box); DAST = running app (black box).
  • Manual review (peer review) complements tools.
  • Shift-left: threat modeling and arch review upstream, SAST during dev.
  • Without configuration management, dead code can become exploitable again.

4.2 Misuse case and negative testing

Software test levels pyramid with cross-cutting tests
Figure 4.2 · Negative and misuse case add to the unit/integration/system/acceptance levels.

A use case describes an intentional way of using a system to accomplish authorised work. Misuse case testing examines the opposite assumption: a set of actions that could cause integrity failures, malfunctions or compromises, whether deliberate and malicious or accidental. It is built into test plans, often focusing on system behaviour facing unexpected field values (wrong format, data far from the expected input). Simple example: a user enters their phone number in a field meant for their name. Modelling hostile agents and their misuse cases focuses the security professional's attention.

Negative testing, in contrast to a positive test (which checks the system works as expected and fails on any error), provides evidence of application behaviour facing invalid or unexpected data. Any provocation of failure should surface in testing rather than in production. The optimal response to a negative test is to gracefully reject the data without crashing. It is optimal to combine positive and negative tests.

Don't confuse the two: negative testing detects crashes in different situations; misuse case takes a hostile actor's viewpoint. Safety-critical systems blur the line (fail-safe requirement). Advances in automated testing, like fuzz testing (mutation or generation of inputs), allow tens of thousands of cases at the edges of the system's acceptable envelope - for owners and attackers alike.

Key terms Misuse case testing Negative testing Positive test Fuzz testing
Key points
  • Misuse case = hostile viewpoint (deliberate or accidental).
  • Negative test = invalid data, graceful rejection without crash.
  • Positive + negative = thorough behaviour examination.
  • Fuzzing (mutation/generation) automates edge cases.

4.3 Test coverage and test levels

Pyramid unit, integration, system, acceptance
Figure 4.3 · The four software test levels, from unit to acceptance.

The level of structural testing is measured by coverage metrics, which indicate the percentage of the software structure evaluated. By convention, speaking of coverage implies 100%: statement coverage means 100% of statements have been executed at least once. The main types: statement coverage (each statement at least once, insufficient alone); decision/branch coverage (each branch takes each outcome, minimum for most software, insufficient for high-integrity); condition coverage (each condition takes all its values); multi-condition coverage (all combinations of conditions); loop coverage (loops run zero, one, two and many times); path coverage (each feasible path, rarely achievable given the number of paths); data flow coverage (each feasible data flow). The target level should be proportionate to the software's risk.

Tests are also structured by level: unit (smallest isolated component), integration (modules together), system (whole system end to end) and acceptance (UAT, validation against business needs). Add cross-cutting tests: regression (verify a change broke nothing), positive, negative, and white-box / black-box approaches. Reaching 100% coverage is rarely realistic: cost and time-to-market pressure make it hard, especially on large code, even if not strictly impossible.

Key terms Statement coverage Branch coverage Path coverage Regression testing Acceptance (UAT)
Key points
  • Coverage = 100% by convention; statement < branch < path in demand.
  • Coverage level proportionate to software risk.
  • Levels: unit, integration, system, acceptance (UAT).
  • Cross-cutting: regression, positive, negative, white/black box.
  • 100% coverage rarely reached (cost, time-to-market).

4.4 Interface testing

SDLC models where interface and system tests fit
Figure 4.4 · Interface testing fits into standard development testing.

An interface is a point of interaction with a system. Examples: the UI (human interaction, GUI with windows and menus, or command-line CLI) and APIs (system-to-system communication: REST for the web, IPC, RPC). Evaluating the functionality and security of interfaces is a crucial aspect of system testing: security controls must be implemented in them to ensure confidentiality (access controls) and non-repudiation (logging of actions). Interface testing is part of standard development testing and plays a role in security activities (vulnerability assessments, pentests, breach simulations).

Interface testing verifies that components (software and hardware) pass data and control to each other correctly, per their design. It differs from integration testing: it checks that distinct components are in sync and that functions like data transfer happen as designed. In particular, it verifies that application-server interactions execute correctly, that errors are properly handled, what happens if the user interrupts a transaction, or if a web server connection is reset. On the server side, it validates communication between web, application and database servers, and software/hardware/network compatibility. On external interfaces, it checks supported browsers and error conditions when the external application is unavailable.

Key terms Interface API Interface testing Non-repudiation
Key points
  • Interfaces: UI (GUI/CLI) and API (REST/RPC/IPC).
  • Interface testing != integration testing (sync and data transfer).
  • Interface security: access control (confidentiality) + logging (non-repudiation).
  • Checks error handling, interruptions, resets.

4.5 Synthetic transactions and RUM

Passive RUM vs active synthetic transactions
Figure 4.5 · RUM observes real users; synthetic replays scripts.

To evaluate the performance, response time and availability of applications, sites and services, two complementary approaches exist.

Synthetic transactions are automated activities run against a monitored target to evaluate its performance. For a web application, this can be logging in with a test account to verify the response to login or queries. The term transactions does not mean only financial transactions: any system activity (DNS resolution, IP assignment via DHCP) qualifies. Synthetic performance monitoring (or proactive monitoring) has external agents run scripts following a typical user's steps (search, view a product, log in, pay). It is testing by scripts, not by live actions, which distinguishes it from other test forms. It covers website monitoring, database monitoring, TCP port monitoring and SLA validation, and runs 24/7 even with no real traffic.

RUM (real-user monitoring), also called real-user measurement or end-user experience monitoring (EUM), is by contrast a form of passive monitoring: it captures and analyses every transaction of every real user of a site or application. Top-down, client-side RUM (small JavaScript scripts or local agents) sees directly the experience the user lives and the link between site speed and satisfaction. RUM also applies to people-intensive operations (call centres). Synthetic and RUM complement each other: synthetic watches availability during low-traffic periods, RUM measures real experience.

Key terms Synthetic transactions Synthetic performance monitoring RUM EUM
Key points
  • Synthetic = automated scripts (active), 24/7 even without traffic.
  • RUM = passive, captures every real-user transaction.
  • Quiz cue: web test using scripts = synthetic.
  • Synthetic and RUM complement each other (availability vs real experience).

Case studies

Case · Activity (Bank UYT)

Choosing the right test from the symptom

Context : The Bank UYT team asks Prakash several software testing questions: (1) can 100% coverage be reached? (2) which test detects an out-of-bounds value entered in a field? (3) the web server displays SQL code during intermittent errors - which test would reveal it? (4) which test fixes a security issue?

Question : Answer the four questions with justification. (6.2.6-8, 6.2.1-10)

Topics covered Test coverage and its limitsMisuse case vs interface testingTesting identifies, remediation fixes
Show analysis and answer

(1) 100% coverage: the right answer is that total coverage, without fully automated testing, takes too long and costs too much to be practical - not strictly impossible, but push to market makes it hard on large code. (2) Out-of-bounds value entered by a user: misuse case test (tests incorrect use, accidental or deliberate); don't confuse with interface or synthetic. (3) SQL code leaking in an error message: interface testing - errors always occur, but the information in the message must stay minimal; returning SQL exposes the database's internal structure. (4) No test fixes a security issue: at best, a well-designed test identifies a problem; a remediation process must follow.

Takeaway : Misuse case = incorrect use; interface testing = leaks/errors at boundaries; no test fixes, it identifies. Remediation always follows testing.

Key learning points
  • 100% coverage: possible but often impractical (cost, time).
  • An out-of-bounds entered value = misuse case test.
  • An SQL leak in an error = interface testing.
  • No test fixes: remediation is always needed.
Exam pitfall

SAST vs DAST

SAST = static, code AT REST, no execution, white box (finds SQL injection, XSS, hardcoded secrets). DAST = dynamic, RUNNING application, black box. Fuzzing (mutation/generation) is a special case of DAST. Cue: S for Static (stopped), D for Dynamic (running).

Exam pitfall

Negative testing vs misuse case

Negative testing seeks crashes facing invalid data; the optimal response is a graceful rejection. Misuse case takes a hostile actor's viewpoint. They resemble each other but are not identical; safety-critical systems blur the line.

Exam pitfall

Synthetic transactions = test by scripts

Exam cue: a web application test relying on SCRIPTS rather than live actions is a synthetic transaction. Other forms (vulnerability, penetration) use live agents. RUM, by contrast, is passive and observes real users.

Checkpoint — Knowledge check

  1. What type of web application test relies on scripts rather than live actions?

    • A Synthetic
    • B Vulnerability
    • C Penetration
    • D Conformity
    Answer & rationale

    Answer : A — Synthetic

    Synthetic transactions have external agents run scripts following a typical user's steps. The other forms (vulnerability, penetration) use live agents; conformity testing validates against standards.

  2. After a fix, a battery of tests is rerun to ensure no existing functionality was broken. Which test?

    • A Regression testing
    • B Negative testing
    • C Acceptance testing
    • D Misuse case testing
    Answer & rationale

    Answer : A — Regression testing

    Regression testing verifies a change did not break existing functionality. Negative testing addresses invalid data, acceptance validates against business needs, misuse case takes the hostile viewpoint.

Key takeaways

  • SAST = code at rest (white box); DAST = running app (black box); IAST combines.
  • Misuse case (hostile) and negative (invalid data) are close but distinct.
  • Coverage = 100% by convention; rarely reached in practice.
  • Levels: unit, integration, system, acceptance; + regression, positive, negative.
  • Synthetic = active scripts; RUM = passive observation of real users.
Module 5 Objective 6.3 90 min Intermediate

Collecting security process data

Prerequisites : Domain 5 (IAM, AAA); Modules 1-2.

A security decision is only as good as its data. This module shows how to collect and manage process data from account management, management review, indicators (KPI/KRI) and backup verification, to drive data-driven security.

Learning objectives

  • Identify account management data to collect.
  • Scope management review and approval.
  • Distinguish KPI from KRI, metric from indicator.
  • Verify backup integrity.

Success criteria

  • I map an indicator to KPI (past) or KRI (future).
  • I describe how to verify a backup (test restore).
  • I list the inputs of a management review.

5.1 Account management and IAM review

IAM review: identity store, AAA and logs around access control
Figure 5.1 · The three data sources of the IAM review.

An account is the set of credentials used to access a resource. Since access control is the bedrock of IS security, collecting process data focuses first on account management. It supports business functions by: assigning account managers; setting conditions for group or role membership; specifying authorised users; requiring approval for authorisations (creating, enabling, modifying, disabling, removing access); monitoring account usage; notifying the manager when access is no longer needed; reviewing accounts for compliance. Access control is an example of a blended control: policies enforced by procedures, implemented by technology, sometimes with physical controls (badges, smart cards).

IAM review rests on three central information sets. The identity store is the centralised repository of all information about an identity; it also records decisions to grant, remove or downgrade permissions. The integrated IAM system maintains its authentication and authorisation databases (the 3rd A of AAA: authentication, authorization, accounting). System and application logs, monitoring agents and sensors record indicators of user actions. User behaviour modelling can detect indicators triggering account reviews. As jobs change and, ultimately, people leave, accesses are modified, disabled, deprovisioned then deleted. Auditing these sources provides rich material for security assessment.

Key terms Account management Identity store AAA User behavior modeling
Key points
  • Access control is the bedrock: start with account management.
  • Approval required to create/enable/modify/disable/remove access.
  • Three IAM sources: identity store, AAA system, logs/monitoring.
  • Access control = blended control (policy + tech + physical).

5.2 Management review and approval

PDCA cycle supporting the continual process improvement of management review
Figure 5.2 · Management review feeds continual process improvement (PDCA).

Management is responsible for defining and executing the organisation's mission, including security and privacy. To ensure controls reduce risk to an acceptable level, it conducts reviews and approves security process data. ISO 27001 requires top management to review the ISMS at planned intervals to ensure its continuing suitability, adequacy and effectiveness - an expectation echoed by NIST, ITIL and COBIT 5.

Management review should include (but not be limited to): exemptions from normal activities, information from previous reviews, ongoing outcome metrics, audit results, whether security objectives have been met, feedback from interested parties, and risk assessment reporting with the treatment plan. The goal is to support continual process improvement. Many organisations still rely on subjective judgments to prioritise, whereas major frameworks require statistical methods, metrics and benchmarks - which assumes logging and monitoring provide the necessary data-driven information.

System owners have similar responsibilities for their own stores: they identify their risk tolerance, compliance obligations, and decide to authorise a system's use. They are essential to determine whether selected controls meet their objectives. Environment changes (new business lines, systems, compliance, mergers/acquisitions) can affect control effectiveness, hence continuous monitoring generating metrics and indicators.

Key terms Management review Continual process improvement System owner Data-driven
Key points
  • Management reviews and approves to keep controls effective.
  • ISO 27001: ISMS review at planned intervals (suitability, adequacy, effectiveness).
  • Inputs: exemptions, audits, metrics, objectives, feedback, risk.
  • Data-driven decisions > subjective judgment.

5.3 KPI and KRI: measuring the past and anticipating the future

KPIs looking back and KRIs looking forward
Figure 5.3 · KPIs measure the past, KRIs anticipate future risks.

You only manage well what you measure. Security metrics serve as key performance indicators (KPI) and key risk indicators (KRI). Mind the metric vs indicator distinction: a metric is a plain measurement (the number of patches applied), while an indicator uses metrics and provides context (an indication). Example: the ratio of patched endpoints to the total is an indicator of patch management effectiveness; if you expect 100% coverage by D+7 and the figure is below, the indicator signals corrective action.

KPI and KRI differ in their time orientation. KPIs look at the past: the activity already happened, were goals met? They help correct future actions, can reveal underperforming segments, justify rewards and reassure a client base. KRIs look at the future: they capture how the changing risk landscape might affect the organisation, using modelling, analysis or educated estimation. They allow assessing a risk's likelihood and triggering proactive action - for example, a rise in malicious traffic volume blocked by a firewall may indicate the need to upgrade it before it is overwhelmed. KRIs often support long-term decisions (budget, resources) and must be reviewed via formal change management when risk evolves.

Key terms KPI KRI Metrique Indicateur
Key points
  • Metric = measurement; indicator = metric + context.
  • KPI = past (goals met?); KRI = future (emerging risk).
  • KRIs trigger proactive action (e.g. firewall upgrade).
  • Review KRIs via change management when risk changes.

5.4 Backup verification and availability services

Backup activities producing artifacts for the auditor
Figure 5.4 · Backup verification produces artifacts for the audit.

Availability services are another source of process data, because their performance drives the organisation's ability to meet its commitments and compliance obligations. Availability data is routinely audited.

Data and system backups are essential integrity and availability controls. The first step is to identify critical data and systems, then design a backup strategy suited to recovery needs. Once procedures are in place, it is crucial to verify the integrity of the backup PROCESS AND the backed-up data. Both are evaluated by a test restore from the backup media, to ensure all required data is present and readable. If data is missing, it may indicate misconfiguration (excluded directories or systems) or media corruption. Some backup systems include automatic integrity checking, generate alerts on loss and retry the backup.

On compliance, ISO 27001 Annex A:12.3 is the principal control, but the need for backup appears across many controls. FIPS 200 covers the Contingency Planning (CP) and Media Protection (MP) families. HIPAA requires both a data backup plan and a business contingency plan, and the Availability TSC criterion sets similar expectations for a SOC 2. Developing an availability programme extends risk management practice: execution is IT's job, but it is directed by the risk of data loss or failure.

Key terms Test restore Backup integrity ISO 27001 A.12.3 Availability services
Key points
  • Verify integrity of the PROCESS and the DATA via a test restore.
  • Missing data = misconfiguration or corrupted media.
  • ISO A.12.3, FIPS 200 (CP/MP), HIPAA, TSC Availability.
  • The availability programme is risk-driven, IT-executed.

Case studies

Case · Activity (Bank UYT)

What should management review be based on?

Context : Prakash notices that at Bank UYT, the prioritisation of management review and approval activities is not always based on reliable metrics.

Question : To support continual process improvement and best practice, what should management review and approval include? (6.3.2)

Topics covered Management review inputsData-driven decisionsContinual process improvement
Show analysis and answer

Management review should include, but not be limited to: exemptions from normal activities; information from previous reviews; ongoing outcome metrics; audit results; whether security objectives have been met; feedback from interested parties; risk assessment reporting and the treatment plan. Relying on statistical methods, metrics and benchmarks - rather than subjective judgments - is what major frameworks demand. This assumes logging and monitoring tools provide the data-driven information needed for reliable prioritisation.

Takeaway : Effective management review relies on documented metrics, audits, objectives and risks, not impressions; logging provides the data-driven material.

Key learning points
  • List inputs: exemptions, audits, metrics, objectives, feedback, risk.
  • Prioritise on data, not subjective judgments.
  • Logging feeds data-driven decisions.
Exam pitfall

KPI vs KRI

KRIs monitor emerging risks (forward-looking, proactive). KPIs measure goal achievement (backward-looking). Classic trap: assigning KRIs the role of measuring goal achievement - that is the KPI's role. A KRI warns early of a risk, not of team performance.

Exam pitfall

Verify the backup, not just run it

Backing up is not enough: you must verify via a test restore that data is present AND readable, and that the process itself has integrity. Missing data reveals faulty config (exclusions) or corrupted media.

Checkpoint — Knowledge check

  1. Which statement is true of key risk indicators (KRIs)?

    • A KRIs monitor emerging risks
    • B KRIs show whether goals have been met
    • C KRIs shed light on performance metrics
    • D KRIs alert when team metrics have not been met
    Answer & rationale

    Answer : A — KRIs monitor emerging risks

    KRIs are designed to track and early-warn on emerging risks. Showing goal achievement is the KPIs' role. KRIs are neither performance metrics nor team alerts.

  2. How do you reliably verify a backup is usable?

    • A Perform a test restore from the media and check that data is present and readable
    • B Check that the backup job finished without error
    • C Compare the backup file size to the day before
    • D Look at the retention schedule
    Answer & rationale

    Answer : A — Perform a test restore from the media and check that data is present and readable

    Only a test restore proves the integrity of the process AND the data. A finished job, a size or a schedule do not guarantee data is present and readable.

Key takeaways

  • Account management is the bedrock; three IAM sources (identity store, AAA, logs).
  • Management review approves on metrics, audits, objectives, risks.
  • Metric = measurement; indicator = metric + context.
  • KPI = past (goals); KRI = future (emerging risk, proactive).
  • Verify backups via test restore (process AND data).
Module 6 Objective 6.3 90 min Intermediate

SETA and continuity testing (BC/DR)

Prerequisites : Module 5; BC/DR notions (Domain 7).

Users are both a high-value target and a critical line of defence; and an organisation's resilience is proven by testing its plans. This module covers SETA programmes (security education, training, awareness) and continuity and recovery testing (BC/DR), from desk check to full cutover.

Learning objectives

  • Distinguish education, training and awareness.
  • Run a needs assessment and evaluate a SETA programme.
  • Differentiate BC and DR.
  • Rank BC/DR tests by increasing complexity.

Success criteria

  • I place education vs training vs awareness.
  • I order desk check, walk-through, tabletop, simulation, parallel, full cutover.
  • I label an evacuation drill as a walk-through.

6.1 SETA: education, training, awareness

Progressive, continuous SETA programme feeding security posture
Figure 6.1 · Education, training and awareness: three levers of the human factor.

The security environment changes fast: establishing and maintaining a security education, training and awareness (SETA) programme is vital, because users are both a critical line of defence and a high-value target. The three activities differ. Education presents a body of knowledge applicable to a broad range of problems; as the body evolves fast, a professional's education never stops (ISC2 members must demonstrate continuing education). Training targets acquiring specific knowledge to perform a task (configuring and using a technology or control correctly). Awareness is more general: NIST SP 800-50 distinguishes the two by saying training teaches skills, while awareness focuses attention on an issue.

A SETA's structure and effectiveness depend on the organisation's policy and strategy. A needs assessment, initial and continuous, determines the training strategy and justifies resource allocation. It must involve key roles with specific training needs: executive management (understand directives and laws), security personnel (experts in policy and best practices), system owners (strong understanding of controls), system administrators and IT support (technical knowledge), operational managers and users (awareness and rules of behaviour). FIPS 200 identifies the Awareness and Training (AT) family; ISO 27001 A.7.2.2 has a similar expectation.

Evaluating effectiveness is hard: counting attendees shows no behaviour change. Anti-phishing campaigns, which send fake emails and track responses, are one way to quantify the effect. Successful SETA programmes have meaningful evaluation measures (completion rates, long-term retention, coverage, audience tailoring), reused for retraining and re-evaluation.

Key terms Education Training Awareness Needs assessment Anti-phishing
Key points
  • Education (broad) < training (skill/task) < awareness (attention).
  • NIST SP 800-50: training teaches, awareness focuses.
  • The needs assessment targets each role (exec, security, owners, admins, users).
  • Audience tailoring = relevance and effectiveness (SETA answer).
  • Measure effectiveness: anti-phishing, completion, retention, coverage.

6.2 BC and DR: two distinct processes

Progressive BC/DR test program from desk check to full cutover
Figure 6.2 · BC sustains the business, DR restores IT; both are tested.

Disaster recovery (DR) and business continuity (BC) are often paired but distinct. DR means planning and implementing strategies to restore IT systems, data and operations after a disaster (natural disaster, cyberattack, hardware failure): it ensures quick recovery and minimises downtime, protecting data integrity and business functionality. BC focuses on maintaining essential business functions during and after a disaster: it goes beyond IT (employee safety, communication protocols, alternative work sites), to support core operations, customer service and limit financial losses. Together, BC and DR form the organisation's resilience.

Process data related to BC and DR is of great interest to controls assessors. Major standards expect risk-driven BC/DR planning: NIST SP 800-34 (Contingency Planning Guide) charts a road map; ISO 27031 addresses IS continuity and aligns with ISO 22301 (Business Continuity Management Systems). Many sectors (finance, nuclear, aviation, critical infrastructure) impose high resilience expectations, sometimes with a regular, documented full-scale demonstration.

A well-established dictum reminds us that the disaster you get is never the one you plan for. The plan, as an artifact, demonstrates commitment, but the true test is showing the organisation can execute it. Hence the importance of training teams in conducting recovery, with progressive complexity and breadth.

Key terms Disaster Recovery Business Continuity NIST SP 800-34 ISO 22301
Key points
  • DR = restore IT/data; BC = sustain the business (beyond IT).
  • Risk-driven BC/DR planning (BIA).
  • Standards: NIST SP 800-34, ISO 27031, ISO 22301.
  • The plan proves commitment; the test proves execution.

6.3 Testing BC/DR plans: from desk check to full cutover

Six levels of BC/DR tests with increasing complexity
Figure 6.3 · The six BC/DR test levels, from least to most disruptive.

BC/DR testing and training is process data of first interest to the assessor: it demonstrates control effectiveness and feeds continual improvement. The training programme should progress in complexity and organisational breadth, each successful event preparing the next. A typical progressive programme is ordered as follows.

The desk check: each member reviews operational documentation, rosters, their availability and their version of the DR plan; expected result: everyone has a current plan. The walk-through: using manuals, DR teams explain their roles and activities; result: they understand their role relative to each other and deconflict overlaps. The tabletop exercise: team leaders are presented a disaster scenario and discuss their response; result: deconfliction of roles and identification of major plan weaknesses. The simulation: a disaster is simulated OUTSIDE the production environment, DR activities are performed there; result: demonstration of recovery capabilities within the scenario context. The parallel: a disaster is simulated while production continues; result: demonstration of full recovery without disrupting production. The full cutover (full-interruption): a disaster is invoked that actually affects production; result: recovery of the production environment within established parameters.

Classic trap: a fire evacuation drill is a walk-through (step-by-step review of procedures without real-time execution), not a simulation. The results of these activities are documented and made available to assessors and other parties for process improvement.

Key terms Desk check Walk-through Tabletop Simulation Parallel Full cutover
Key points
  • Increasing order: desk check, walk-through, tabletop, simulation, parallel, full cutover.
  • Parallel = production kept up; full cutover = production affected.
  • Trap: a fire evacuation = walk-through, not a simulation.
  • Document results for continual improvement.

Case studies

Case · Case study: WannaCry

What WannaCry teaches about continuous testing and DR

Context : In May 2017, the WannaCry ransomware exploited the Windows EternalBlue vulnerability (a patch existed but many systems remained unpatched), spreading via phishing. It encrypts files and demands ransom. Global impact, including major disruption at the UK NHS. The response mobilised international cooperation.

Question : How does WannaCry underscore the importance of continuous pentesting, a well-defined DR, international BC and continuous user training? (6.2.2, 6.3.5, 6.3.6)

Topics covered Continuous pentesting and vulnerability assessmentDR beyond simple data restorationBC and international collaborationContinuous awareness against evolving threats
Show analysis and answer

WannaCry exploited unpatched systems: continuous pentesting and vulnerability assessment (beyond initial setup) are essential to identify and fix vulnerabilities before exploitation. DR: the attack not only encrypted data, it cut access to systems; a good DR plan must therefore cover restoring system FUNCTIONALITY, not just data recovery. BC: the global scale shows the importance of cross-border collaboration - sharing threat intelligence and coordinated responses mitigate the impact of widespread incidents. Training: threats evolve; continuous awareness keeps users informed of emerging vectors, beyond static sessions. A classic DR strategy weakness is dependence on a single point of failure.

Takeaway : Test continuously, design a DR covering functionality (not just data), cooperate internationally and train continuously: WannaCry illustrates all four.

Key learning points
  • Patching and testing continuously prevents exploitation of known vulnerabilities.
  • A DR must restore functionality, not just data.
  • Dependence on a single point of failure is a DR weakness.
Case · Applied Scenario: Waxbill UAV (Part 2)

Testing MLZ's recovery plan

Context : MLZ's CSO is worried about the state of the Disaster Recovery Plan (DRP) after hearing a peer's difficulties. He urges management to prioritise collecting DRP-related process data: risk reduction, financial protection, operational continuity, compliance.

Question : What is the purpose of regularly testing a DRP, what is a typical DR strategy weakness, and what to consider when updating it?

Topics covered Purpose of DRP testingSingle point of failurePlan update and alignment
Show analysis and answer

The purpose of regularly testing a DRP is to identify and fix weaknesses; the overall aim is to minimise the impact of a disruption and return to an acceptable level of performance after a disaster. A typical weakness is dependence on a single point of failure: based on each system's business impact analysis, continuity activities reduce the likelihood and consequence of a failure. When updating a DRP, it must be regularly reviewed and aligned with changes: documenting these activities is process data that feeds continual improvement and demonstrates effectiveness to assessors.

Takeaway : Testing a DRP serves to find weaknesses; avoid the single point of failure; regularly review and align the plan with changes.

Key learning points
  • Testing a DRP identifies and fixes weaknesses.
  • The single point of failure is the weakness to hunt.
  • Review the plan regularly and align it with changes.
Exam pitfall

A fire evacuation is a walk-through

In the BC/DR context, a fire evacuation drill is a walk-through: a step-by-step review of procedures without real-time execution. It is neither a tabletop (in-room discussion), nor a simulation (replica of real conditions off production), nor a parallel.

Exam pitfall

Parallel vs full cutover

The parallel test simulates a disaster while KEEPING production up: recovery is demonstrated without interruption. The full cutover (full-interruption) really switches over and AFFECTS production. Full cutover is the most realistic but riskiest.

Exam pitfall

Training teaches, awareness focuses

NIST SP 800-50: training teaches skills to perform a function; awareness focuses attention on an issue. Education conveys a broad body of knowledge. Tailoring to the audience ensures relevance and effectiveness.

Checkpoint — Knowledge check

  1. In a BC/DR testing program, what form is a building fire evacuation?

    • A Walk-through
    • B Parallel
    • C Tabletop
    • D Simulation
    Answer & rationale

    Answer : A — Walk-through

    A fire evacuation is a walk-through: a step-by-step review of procedures, without real-time execution. Parallel compares primary/backup systems, tabletop is an in-room discussion, simulation replicates real conditions in an orchestrated way.

  2. Why establish and maintain a security awareness, education and training program?

    • A Tailoring training to audience needs ensures relevance and effectiveness
    • B Users are only a potential target for attacks
    • C Users are not critical in the defence against attacks
    • D Long-term information retention is unnecessary
    Answer & rationale

    Answer : A — Tailoring training to audience needs ensures relevance and effectiveness

    Understanding audience needs allows tailoring the level and material, strengthening relevance and effectiveness. Users are both a target AND a critical line of defence, and long-term retention is essential.

Key takeaways

  • Education (broad), training (task), awareness (attention); tailor to the audience.
  • DR restores IT/data; BC sustains the business beyond IT.
  • Increasing BC/DR tests: desk check, walk-through, tabletop, simulation, parallel, full cutover.
  • Fire evacuation = walk-through; parallel keeps prod up, full cutover affects it.
  • Document tests for continual improvement and the assessor.
Module 7 Objective 6.4 95 min Advanced

Analyze test output and generate report

Prerequisites : Modules 1-6; change management (Domain 7).

Testing is pointless if you do not act on the results. This module covers remediation, continual improvement models (PDCA, Six Sigma), exception handling within risk tolerance, and ethical disclosure of vulnerabilities (full, responsible, non-disclosure), through to mandatory reporting and whistleblowing.

Learning objectives

  • Structure findings remediation (prioritisation, POA&M).
  • Apply a continual improvement model (PDCA, Six Sigma).
  • Manage exceptions within risk tolerance.
  • Apply ethical disclosure postures.

Success criteria

  • I describe the 4 PDCA steps.
  • I distinguish full, responsible and non-disclosure.
  • I know when an exception must be documented and reviewed.

7.1 Remediation and continual improvement

PDCA cycle in four steps Plan Do Check Act
Figure 7.1 · PDCA structures remediation and continual improvement.

The CISSP must establish a process, called remediation, to address findings from tests, assessments and audits. This mobilises project management skills: prioritise tasks, set timelines and milestones, track progress to completion. Audit findings can feed other parts of the programme (risk analysis): a deficient control reveals a poorly mitigated risk, which should trigger a review of the risk management process.

Control-environment changes fit a continual improvement approach. The most common model is PDCA (Plan-Do-Check-Act), also called the Shewhart or Deming wheel, in four steps. Plan: decide what needs to be done, set objectives and processes. Do: execute the plan (on a small scale). Check: evaluate results (statistical measures, observations, evaluations). Act (Adjust): from the Do and Check phases, identify root causes, reassess risk, reset the baseline; then the cycle restarts.

Six Sigma applies a similar five-step model (Define, Measure, Analyze, Improve, Control - DMAIC), repeated until the desired quality level. All major frameworks apply continual improvement to better align control performance with risk. Maturity (CMM) follows the same logic. No single model fits every organisation: tailoring considers culture, risk management, prioritisation, compliance and change management. Continual improvement is as much a mindset as a process.

Key terms Remediation PDCA Six Sigma CMM
Key points
  • Remediation is a project management process (priority, milestones, tracking).
  • A finding can feed risk analysis.
  • PDCA = Plan, Do, Check, Act (Deming/Shewhart wheel).
  • Six Sigma = DMAIC (5 steps); no universal model.

7.2 Exception handling

Exception handling fits within the improvement cycle
Figure 7.2 · Exceptions are temporary, documented and reviewed.

When a finding or indicator establishes that a control does not reach the agreed level of risk reduction, the usual response is to improve the control. In certain circumstances, the appropriate response is instead to adjust risk tolerance to align with control performance. The change management process must engage the system owner to determine the proper course.

When an evaluation reveals an issue that cannot be remediated, it must go through an exception process, modelled on policy exceptions (used when a system cannot meet a requirement). Exceptions may be granted, but only temporarily. If a permanent exception is requested, or if the same issue prompts repeated requests, it signals misalignment with the organisation's objectives, warranting updates to policies or governance decisions.

Concretely: if the situation is temporary and the system owner accepts the risk, change management documents the circumstances and flags the exception for review at an agreed date or event. If the owner refuses the additional risk, they must either resource the additional control or take other measures covering the new risk level. In all cases, exceptions must be documented, authorised and reviewed.

Key terms Exception Risk tolerance System owner Change management
Key points
  • Insufficient control: improve the control, or adjust risk tolerance.
  • Exceptions are temporary, never permanent by default.
  • A permanent/repeated request signals misalignment (revisit the policy).
  • Every exception: documented, authorised, reviewed.

7.3 Ethical disclosure of vulnerabilities

Three disclosure postures: full, responsible, nondisclosure
Figure 7.3 · The three vulnerability disclosure postures.

Web applications, sites and services likely contain vulnerabilities. A community of researchers works to identify and report them responsibly, before a malicious actor exploits them: this is ethical or responsible disclosure. Organisations with web resources must be ready to receive these often-unexpected reports from external people. Three postures coexist.

Full disclosure: whoever discovers a weakness publishes it as fast as possible to all affected parties. Its advocates argue that not disclosing everything immediately leaves organisations at risk, and that public embarrassment pushes vendors to fix. Responsible disclosure: the discoverer first reports to the responsible organisation and gives it time to fix before publication; the delay is debated, but the idea is supported by Linus Torvalds, Microsoft, Google. Nondisclosure: do not disclose, sometimes the only legal and ethical path, when agreements (NDA), an ongoing investigation, privacy rights or protected financial data require it; safe harbor programs tried to create sharing channels but run afoul of GDPR.

Project Zero (Google, 2014) illustrates responsible disclosure: the team passes details to the vendor and, with no patch within 90 days, makes the weakness public; over 95% are fixed within the window. In the US, the Vulnerabilities Equities Process (VEP) arbitrates, case by case, the disclosure of vulnerabilities known to agencies. Add mandatory reporting (legal duty to report certain circumstances, e.g. crimes involving minors) and whistleblowing (ethical reporting, variably protected by jurisdiction, hence the value of professional insurance). The professional must clarify the legal status of whistleblowing before any disclosure.

Key terms Full disclosure Responsible disclosure Nondisclosure Project Zero VEP Whistleblowing
Key points
  • Full = everything, at once; responsible = grace period for the vendor; nondisclosure = do not disclose.
  • Project Zero = 90-day responsible disclosure.
  • Nondisclosure sometimes the only legal path (NDA, investigation, GDPR).
  • Mandatory reporting (legal duty) != whistleblowing (ethical, variably protected).

Case studies

Case · Profile discussion (Bank UYT)

Setting up analysis and reporting

Context : After security testing, Prakash must analyse results and generate reports at Bank UYT, where no clear process existed. He asks his mentor to structure remediation, exception handling and ethical disclosure.

Question : How can Prakash prioritise remediation, handle exceptions and ethical disclosure, and ensure clear, actionable reports? (6.4.1-3)

Topics covered Remediation prioritisationException handlingEthical disclosure and audience-tailored reporting
Show analysis and answer

Prakash structures remediation as a project: prioritise by risk, set timelines and milestones, track to completion, and link findings to risk analysis. He sets up an exception process: any non-remediable issue is documented, authorised by the system owner, granted temporarily and reviewed at a deadline; a permanent or repeated request triggers a policy review. For ethical disclosure, he prepares the organisation to receive external reports and sets a posture (responsible disclosure by default, nondisclosure if law requires). On reporting, he tailors the level of detail to each audience, makes reports actionable (findings + recommendations), and relies on a continual improvement model (PDCA) to ensure a swift, effective response.

Takeaway : Prioritise by risk, document and review exceptions, choose a disclosure posture, and tailor reporting to the audience while keeping it actionable.

Key learning points
  • Link findings to risk analysis.
  • Exceptions: temporary, documented, authorised, reviewed.
  • Tailor report detail to each audience, keep it actionable.
Exam pitfall

PDCA: no 'Calculate'

PDCA = Plan, Do, Check, Act. A classic trap offers 'Calculate' as a step: it is wrong. Six Sigma, by contrast, uses five steps (Define, Measure, Analyze, Improve, Control - DMAIC).

Exam pitfall

No test fixes: remediation is needed

A test, at best, identifies a problem; it does not fix it. After the testing phase always comes remediation. Likewise, an exception does not solve the risk, it formalises it temporarily pending treatment.

Exam pitfall

Responsible vs full disclosure

Responsible disclosure gives the vendor a grace period (Project Zero: 90 days) before publication. Full disclosure publishes immediately. Nondisclosure applies when NDA, investigation, privacy or protected financial data require it. Don't confuse the three.

Checkpoint — Knowledge check

  1. PDCA is composed of four steps. Which is NOT one of them?

    • A Calculate
    • B Plan
    • C Do
    • D Act
    Answer & rationale

    Answer : A — Calculate

    PDCA = Plan, Do, Check, Act. 'Calculate' is not one of them. Check (evaluating results) is the step often confused.

  2. An external researcher reports a flaw to the vendor and gives 90 days before any publication. Which posture?

    • A Responsible disclosure
    • B Full disclosure
    • C Nondisclosure
    • D Mandatory reporting
    Answer & rationale

    Answer : A — Responsible disclosure

    Reporting to the vendor and granting a grace period before publication is responsible disclosure (Project Zero model, 90 days). Full disclosure publishes immediately; nondisclosure does not disclose; mandatory reporting is a legal duty to report.

Key takeaways

  • Remediation = project: prioritise, milestone, track; findings feed risk analysis.
  • PDCA (Plan-Do-Check-Act) and Six Sigma (DMAIC) structure continual improvement.
  • Exceptions: temporary, documented, authorised, reviewed.
  • Disclosure: full (immediate), responsible (grace period), nondisclosure (NDA/law).
  • Mandatory reporting (legal) and whistleblowing (ethical) complete disclosure.
Module 8 Objective 6.5 100 min Advanced

Conduct or facilitate security audits

Prerequisites : Modules 1-7; SOC reports from Module 1.

Audit is the formal culmination of security evaluation. This module covers internal audits (chartering, scoping, testing, reporting, remediating with POA&M), SOC audit preparation, external audits and their types, plus third-party audits, managed services and the supply chain.

Learning objectives

  • Conduct an internal audit through its phases.
  • Prepare a SOC audit (preparation phase, audit phase).
  • Identify external audit types.
  • Scope a third-party audit and managed services assessment.

Success criteria

  • I state the benefit and risk of an internal audit.
  • I order chartering, scoping, testing, reporting, remediating.
  • I link POA&M to deficiency remediation.

8.1 Internal audit and methodology

Audit as a formal review requiring independence
Figure 8.1 · Internal audit: familiar but watch for independence.

Assessments and audits can be conducted internally or by independent third parties. An independent evaluator gives more confidence in opinions, attestations and findings. Internal audit aims to determine whether controls meet the organisation's risk expectations; it also helps improve operational efficiency and prepare external audits. It is often conducted by the organisation itself (self-assessment), which demands rigour and a willingness to ask hard questions - many breached organisations discover their culture did not encourage this introspection.

Internal audit advantage: the auditors' familiarity with processes, tools and personnel. But that familiarity is also a risk: issues may be unintentionally overlooked, and the internal auditor may lack the independence for an objective assessment (temptation to downplay a major issue that would affect performance or relationships). Some organisations keep auditors on a separate team; for smaller ones, this is not always feasible.

The methodology follows phases. Chartering: management sponsors and resources the evaluation. Scoping: management determines depth, breadth, schedule, reporting format and who does the work (stakeholder engagement and risk assessment run throughout). Testing: conducting physical, technical and administrative controls (vulnerability assessment, penetration testing). Reporting: the report serves as a benchmark, a corrective tool or an artifact for external audit; the level of detail fits the audience, disclosure stays management's responsibility, and artifacts are protected. Remediating: associating results with corrective action; in the US, the Plan of Action and Milestones (POA&M) tracks the weakness, the proposed remediation, resources and schedule (NIST SP 800-37).

Key terms Internal audit Self-assessment Chartering POA&M
Key points
  • Internal audit: benefit = familiarity; risk = lack of independence.
  • Phases: chartering, scoping, testing, reporting, remediating.
  • Management sets the scope; disclosure is its responsibility.
  • POA&M tracks weakness, remediation, resources, schedule (NIST 800-37).

8.2 Preparing and conducting a SOC audit

SOC reports targeted by a two-phase SOC audit
Figure 8.2 · A first SOC audit: preparation (readiness) then formal audit.

For a service provider never audited before, preparing a first SOC examination typically follows two phases. The security professional plays a key advisory and execution role here.

The audit preparation phase begins by familiarising management and key personnel with the process and purpose of SOC examinations. The team then proceeds as with any major project: clearly establish schedule, scope and success criteria; determine the controls in the examination's scope, inventory current controls and identify missing ones; inventory documentation; use gap analysis techniques (readiness review) to identify and prioritise issues; develop and carry out recommendations to resolve discrepancies; verify resolution; and establish the audit and reporting approach best suited to external needs.

The audit phase starts once preparation is complete: the organisation is ready for its first formal audit. Having outside auditors examine the organisation in detail can be disruptive; good planning reduces it. It requires sound project management: build a detailed audit plan; collect all required artifacts in advance; provide access, workspaces and rooms; plan introduction meetings, progress reviews and outbriefings; conduct required tests and provide artifacts; allow auditors time for off-site analysis; resolve impediments collaboratively; provide draft and final report versions for management review; and conduct a post-audit (lessons-learned) review for the next cycle.

Key terms Audit preparation phase Gap analysis Audit phase Lessons learned
Key points
  • First SOC: two phases (preparation then audit).
  • Preparation: readiness review and gap analysis to close gaps.
  • Audit: strong project management, artifacts collected in advance.
  • Close with a lessons-learned review.

8.3 External audits: types and conduct

Compliance standards audited by external audits
Figure 8.3 · External audit measures compliance with an imposed standard.

An external audit is an assessment by a third party demonstrating the organisation's controls meet a compliance standard - a standard that imposes consequences for non-compliance (financial penalties, criminal sanctions, activity limits). External audits are regular (risk, governance, finances) and employ an independent organisation with no conflict of interest; sometimes the compliance body audits. In all cases, the audited organisation is responsible for demonstrating compliance. External audits are often mandatory for regulatory compliance; their advantage is being thorough and unbiased, with auditors of specialised skill (e.g. SOC 2 under SSAE 18).

Chartering is the audited organisation's governing body's responsibility, setting schedule, scope, resources and coordination leads. Scope and objectives depend on the audit type and standard. The most common types: compliance audits (test specific controls vs a standard), financial audits (accuracy of financial reporting), operational audits (a process's internal controls), information systems audits (controls over IS development and operation), integrated audits (operational + financial), forensic audits (discover and report fraud or criminal activity).

Process: the auditee knows the applied standard in advance, allowing support preparation. Pre-audit planning identifies skills and resources, prepares an audit checklist (areas to investigate, artifacts, people to interview, schedule) shared with the auditee to close gaps. Audit execution collects artifacts, runs tests and interviews (on site and remotely). Audit reporting analyses and compiles a draft report shared with the auditee to correct errors and omissions, before presenting final results. The auditor must have sufficient expertise, possibly engaging a third party for specialised tests (authorised by the audit charter).

Key terms External audit Compliance audit Forensic audit Integrated audit Audit checklist
Key points
  • External audit: independent, thorough, often mandatory; the auditee proves compliance.
  • Types: compliance, financial, operational, IS, integrated, forensic.
  • Pre-audit planning + audit checklist shared with the auditee.
  • The draft report is reviewed with the auditee before final results.

8.4 Third-party audits, managed services and supply chain

SOC 2 report requested from a third party to assess its controls
Figure 8.4 · Requesting a SOC 2 from a third party assesses its security controls.

Third-party relationships cover supply chains and providers: CSPs, ISPs, managed security services, consultants, but also hardware/software vendors (considered part of the supply chain). Third-party audit is a key risk management tool: the security practitioner can conduct the audit or request an audit report from the third party. The shared objective is to identify third-party risks that could impact your organisation and assess the effectiveness of mitigations. Common examples: SOC 2 and CSA STAR. Auditing the practices of third parties with access to your sensitive data is vital, because many privacy laws hold the data controller legally responsible for a breach, even one caused by a data processor (e.g. a cloud).

Two processes should drive identifying and characterising all third parties (risk, compliance, or both). Contract terms must establish security and compliance responsibilities; otherwise, that gap must be closed, contracts renegotiated. A third party may itself have relationships (its own providers or clients): the first party must identify the mix of risk and compliance and resolve it with the third party.

Managed services hand a third party responsibility for all or part of a set of functions. The security professional engages on two fronts: those delivering IT/security services (identity, incident response, BC/DR) and those who, on other services, have shared access to the organisation's assets. Ideally, a contract and SLA establish a cooperative relationship giving visibility into the provider's audits and allowing your own testing. At minimum, SLAs must grant summary-level information on security audits. Finally, organisations also exist in others' supply chains: supply chain management principles apply upstream (suppliers) and downstream (customers); the ISO 28000 series addresses supply chain security management. Evidence collection (field work) happens in person or remotely, on on-premises, cloud or hybrid assets, the shared responsibility model clarifying who owns which controls (e.g. physical security of the infrastructure provider's data centres).

Key terms Third-party audit Data controller Managed services ISO 28000 Shared responsibility
Key points
  • Third-party audit: conduct it or require a report (SOC 2, CSA STAR).
  • The data controller remains liable for a breach caused by a processor.
  • Managed services: require at minimum a summary of security audits (SLA).
  • Upstream/downstream supply chain; ISO 28000; shared responsibility model.

Case studies

Case · Profile discussion (Bank UYT)

Engaging external auditors for an integrated audit

Context : Bank UYT's board informs Prakash that an external integrated audit of operational and financial system controls must be chartered soon.

Question : What criteria to select the auditors, how to align the audit with security objectives, and how to handle findings? (6.5.2, 6.5.3)

Topics covered Auditor selection (independence, skills)Audit / security objectives alignmentFindings handling and remediation (POA&M)
Show analysis and answer

Selection criteria: independence (no conflict of interest), specialised skills (an integrated audit combines operational and financial controls; for a SOC 2, SSAE 18 expertise is required), reputation, and ability to cover the board-defined scope. To align the audit with security objectives, Prakash takes part in chartering and scoping (the board sets schedule, scope, resources, coordinators), prepares an audit checklist shared with the auditors, collects artifacts in advance, and ensures the applied standard matches the bank's risks. To handle findings: review the draft report with the auditors to correct errors and omissions, then structure remediation (risk-based prioritisation, POA&M, milestones) and feed continual improvement, strengthening overall resilience.

Takeaway : Choose independent, qualified auditors (SSAE 18 for SOC 2); scope via charter/scope/checklist; review the draft then remediate via POA&M.

Key learning points
  • Independence and specialisation come first when choosing an external auditor.
  • The draft report is reviewed with the auditee before finalisation.
  • Remediation is organised via a risk-prioritised POA&M.
Exam pitfall

The drawback of the internal audit

The main drawback of the internal audit is the lack of independence: familiarity with the organisation may incentivise downplaying a major issue (to avoid harming performance or relationships). Familiarity and effective problem identification are, by contrast, benefits.

Exam pitfall

Third party: SOC 2 Type II for a critical provider

For a provider integral to operations, a robust third-party audit strategy considers using third-party auditors, for example via a SOC 2 Type II report, which provides independent insight into its control effectiveness. Don't limit to internal resources or to regulated providers only.

Checkpoint — Knowledge check

  1. What is a potential drawback of internal audits?

    • A The incentive to downplay major issues
    • B Lack of familiarity with processes and personnel
    • C Effective identification of potential problems
    • D Excessive independence from the organisation
    Answer & rationale

    Answer : A — The incentive to downplay major issues

    Because of their familiarity with the organisation, internal auditors may lack independence, creating an incentive to downplay a major issue. Familiarity and effective problem identification are, by contrast, benefits.

  2. For a provider critical to your operations, what is a sound third-party audit strategy?

    • A Use third-party auditors, for example via a SOC 2 Type II report
    • B Audit only with internal resources
    • C Limit audits to regulated-service providers
    • D Rely exclusively on internal stakeholder reports
    Answer & rationale

    Answer : A — Use third-party auditors, for example via a SOC 2 Type II report

    Using third-party auditors, notably via a SOC 2 Type II, provides independent insight into the provider's control effectiveness. Limiting to internal resources, regulated providers only, or internal reports does not give a complete assessment.

Key takeaways

  • Internal audit: familiarity (benefit) vs independence (risk); phases chartering->remediating.
  • POA&M tracks weakness, remediation, resources, schedule.
  • First SOC audit: preparation phase (readiness/gap analysis) then audit phase.
  • External audit: independent, types compliance/financial/operational/IS/integrated/forensic.
  • Third-party audit: SOC 2/CSA STAR; the data controller stays liable; ISO 28000 for the supply chain.

Domain summary

Security assessment and testing is an essential component of any successful security programme: structuring assessment practice, supporting audits and conducting meaningful control assessments keep activity within an acceptable level of risk.

The number and diversity of frameworks keep growing. Selecting a framework that fits the business process is best practice, but a framework is never a substitute for analysis: it is not a checklist that, once ticked, makes an organisation secure.

Several techniques combine: vulnerability scanning (automated tools finding known vulnerabilities), penetration testing (controlled exploitation to measure control effectiveness) and social engineering (psychological manipulation to test user vigilance). Add code review (SAST/DAST), synthetic transactions and RUM, misuse and negative testing, breach and attack simulation.

Collecting process data (account management, KPI/KRI, backups, SETA, BC/DR) feeds data-driven decisions. Analysing results drives remediation, exception handling and ethical disclosure via continual improvement models (PDCA, Six Sigma). Finally, internal, external and third-party audits - and reading SOC reports - provide the formal assurance stakeholders expect.

It is vital to run regular assessments and use their results to prioritise remediation and improve controls.

Glossary (Terms & Definitions)

The key Domain 6 terms, to master in English for the exam.

TermDefinition
ArtifactA piece of evidence, such as text or a reference to a resource, submitted to support a response to a question.
AssessmentThe testing or evaluation of controls in a system or organization to determine whether they are implemented correctly, operating as intended, and producing the desired outcome against security or privacy requirements.
Audit / AuditingThe process of reviewing a system for compliance against a standard or baseline; it can be formal and independent, or informal using internal staff.
Chaos EngineeringThe discipline of experimenting on a software system in production to build confidence in its capability to withstand turbulent and unexpected conditions.
Compliance CalendarA calendar tracking an organization's audits, assessments, required filings, and their due dates and related details.
Compliance TestsAn evaluation providing assurance that an organization's controls are applied in accordance with management policies and procedures.
Ethical Penetration Testing / Penetration TestingA testing method where testers actively attempt to circumvent or defeat a system's security features; ethical penetration testing is contractually constrained to stay within defined rules of engagement (RoE).
ExaminationThe process of reviewing, inspecting, observing, studying, or analyzing assessment objects to facilitate understanding, achieve clarification, or obtain evidence.
Finding(s)Assessment results produced by applying an assessment procedure to a security control or control enhancement to achieve an assessment objective.
Interview(s)An assessment technique of holding discussions with individuals or groups within an organization to facilitate understanding, achieve clarification, or obtain evidence.
Judgmental SamplingAlso called purposive or authoritative sampling: a nonprobability technique where sample members are chosen based on the researcher's knowledge and judgment.
Misuse Case TestingA testing strategy from the viewpoint of an actor hostile to the system, using deliberately chosen action sets that could lead to integrity failures or security compromises.
Plan of Action and Milestones (POA&M)A document identifying tasks needing to be accomplished, the resources required, milestones, and scheduled completion dates.
Rules of Engagement (RoE)A set of rules, constraints, and conditions establishing limits on what participants may or may not do; in penetration testing they define scope and liability limitations.
Statistical SamplingThe process of selecting subsets of examples from a population to estimate properties of the total population.
Substantive TestA testing technique used by auditors to obtain audit evidence supporting the auditor's opinion.
TestingThe process of exercising one or more assessment objects under specified conditions to compare actual with expected behavior.
Trust Services Criteria (TSC)The criteria an auditor uses to evaluate the design and operating effectiveness of controls relevant to security, availability, processing integrity, confidentiality, or privacy (used in SOC 2 reports).
SOC 1 ReportA service organization report (SSAE 18 / ISAE 3402) addressing controls relevant to user entities' internal control over financial reporting.
SOC 2 ReportA report on a service organization's controls evaluated against the Trust Services Criteria; restricted-use, shared with the client organization and its auditors.
SOC 3 ReportA public, summary version of a SOC 2 report, freely distributable, without detailed test procedures or results.
Type I ReportA SOC report assessing the suitability of the design of controls at a specific point in time.
Type II ReportA SOC report assessing both the design and the operating effectiveness of controls over a period (typically 6-12 months); a SOC 2 Type II is sought for critical vendors.
AttestationAn independent auditor's statement on the reliability of a management assertion (e.g., control compliance), based on gathered evidence.
Vulnerability ScanningThe automated use of tools to identify known vulnerabilities in information systems; it can also detect insecure protocols such as FTP.
Vulnerability AssessmentAn essential task in evaluating a system's security: identifying vulnerabilities then analyzing their impact given the organization's unique configuration.
Penetration Testing (Black / White / Grey Box)Pen testing categorized by knowledge provided: black box (no information), white box (full information including code/architecture), grey box (partial knowledge).
Red TeamA group simulating a malicious attacker to identify vulnerabilities, exploit weaknesses, and assess the organization's security posture.
Blue TeamThe defensive team responsible for detecting, countering, and responding to red team actions and hardening security controls.
Purple TeamA collaborative approach bridging red and blue teams to maximize feedback sharing and continuous improvement of defenses.
Social EngineeringA technique using psychological tactics to deceive users into disclosing confidential information or taking actions that compromise security.
Breach and Attack Simulation (BAS)An automated platform that continuously replays realistic attack scenarios to validate the effectiveness of detection and prevention controls.
Static Application Security Testing (SAST)Security analysis of source or binary code without executing it (white box), to find vulnerabilities early in the development lifecycle.
Dynamic Application Security Testing (DAST)Security testing of a running application (black box), probing exposed interfaces to detect exploitable flaws.
Interactive Application Security Testing (IAST)A hybrid test combining internal instrumentation (like SAST) with runtime execution (like DAST) for more accurate detection.
FuzzingA technique injecting malformed, random, or unexpected inputs to trigger failures and reveal vulnerabilities.
Code ReviewManual or assisted peer examination of source code to detect security, logic, or quality defects before deployment.
Test Coverage AnalysisMeasurement of how much of the code or requirements is actually exercised by tests, identifying untested areas.
Regression TestingRe-testing after a change to verify a fix or enhancement has not reintroduced defects or broken existing functionality.
Interface TestingTesting the exchange points between components, systems, or APIs (network, application, physical interfaces) to validate correct operation.
Misuse CaseA negative use case describing how a hostile actor would abuse the system, used to derive security requirements and tests.
Synthetic TransactionsScripted transactions replayed automatically against an application to proactively measure availability and performance.
Real User Monitoring (RUM)Passive monitoring of real users' actual interactions with an application to measure performance and lived experience.
Log ReviewAnalysis of system, application, and security logs to detect anomalies, incidents, and compliance deviations.
Account Management ReviewPeriodic review of accounts and their privileges to confirm least privilege and detect orphaned accounts or excessive access.
Backup VerificationVerification that backups exist, are intact, and are restorable, typically through regular restore testing.
Management ReviewA formal leadership review of assessment results, KPIs/KRIs, and ISMS effectiveness to guide decisions and resource allocation.
Key Performance Indicator (KPI)A backward-looking indicator measuring achievement of performance objectives (e.g., percentage of vulnerabilities remediated on time).
Key Risk Indicator (KRI)A forward-looking indicator signaling changes in risk exposure to anticipate breaches of risk appetite.
Internal AuditAn audit performed by internal staff; it requires sufficient skills and allocated time/resources but is less independent than an external audit.
External AuditAn audit chartered with an independent organization having no conflict of interest, covering risk, governance, or financial status.
Third-Party AuditAn audit strategy covering any third party affecting operations or handling sensitive data; it may rely on a vendor's SOC 2 Type II report.
Self-AssessmentAn internal evaluation demanding organizational rigor and introspection; successful organizations follow a consistent methodology.
Security Control TestingEvaluating a control through a combination of testing, examination, and interview (and possibly modeling and simulation) in a consistent, structured, and repeatable manner.
NIST SP 800-53ANIST guide of assessment procedures for the security and privacy controls in SP 800-53, defining the test, examination, and interview methods.
ISO/IEC 27001An international certifiable standard specifying the requirements for an information security management system (ISMS).
ISO/IEC 27002A code of practice providing detailed implementation guidance for information security controls.
PCI DSSThe Payment Card Industry Data Security Standard for entities handling payment cards; it mandates regular vulnerability scans and penetration tests.
Common Vulnerabilities and Exposures (CVE)A public catalog assigning a unique identifier to each publicly disclosed known vulnerability.
Common Vulnerability Scoring System (CVSS)A standardized framework scoring vulnerability severity from 0 to 10 using base, temporal, and environmental metrics.
False PositiveAn alert wrongly flagging a vulnerability or incident that does not exist, consuming triage resources.
False NegativeA failure to detect a real vulnerability or incident, the most dangerous case because the risk remains unseen.
Compensating ControlAn alternative control reducing risk when the primary control is impractical (e.g., network segmentation to limit FTP usage).
Risk AssessmentAn assessment identifying an organization's assets then measuring the likelihood and impact of risks that could affect them.
Modeling and SimulationAn assessment method combining modeling, simulation, and analysis of operational data to estimate a control's performance.

Domain key takeaways

What you must remember

  • Security assessment and testing evaluates control effectiveness and pinpoints vulnerabilities.
  • It combines several techniques: vulnerability scanning, penetration testing, social engineering, code review.
  • Vulnerability scanning automates the identification of known vulnerabilities.
  • Penetration testing exploits vulnerabilities in a controlled environment to gauge controls.
  • Social engineering tests the human factor (phishing, pretexting).
  • Regular assessments ensure new vulnerabilities are found and controls stay effective.
  • Results are used to strategically prioritise remediation and strengthen controls.
  • Testing is a method of gathering information: it can serve an audit, an assessment, or stand alone.

Going further