Wondershare EdrawMind
MindMap Gallery CISSP-6-Security Assessment and Testing
- 34
- 1
CISSP-6-Security Assessment and Testing
CISSP-Information System Security Professional Certification Security Assessment and Testing Mind Map, the main contents include basic concepts, assessment and testing strategies, collection of security process data, internal and third-party audits, and audit management controls.
Edited at 2021-11-10 12:04:23
- bacteria
This is a mind map about bacteria, and its main contents include: overview, morphology, types, structure, reproduction, distribution, application, and expansion. The summary is comprehensive and meticulous, suitable as review materials.
- Plant asexual reproduction
This is a mind map about plant asexual reproduction, and its main contents include: concept, spore reproduction, vegetative reproduction, tissue culture, and buds. The summary is comprehensive and meticulous, suitable as review materials.
- Reproductive development of animals
This is a mind map about the reproductive development of animals, and its main contents include: insects, frogs, birds, sexual reproduction, and asexual reproduction. The summary is comprehensive and meticulous, suitable as review materials.
CISSP-6-Security Assessment and Testing
- bacteria
This is a mind map about bacteria, and its main contents include: overview, morphology, types, structure, reproduction, distribution, application, and expansion. The summary is comprehensive and meticulous, suitable as review materials.
- Plant asexual reproduction
This is a mind map about plant asexual reproduction, and its main contents include: concept, spore reproduction, vegetative reproduction, tissue culture, and buds. The summary is comprehensive and meticulous, suitable as review materials.
- Reproductive development of animals
This is a mind map about the reproductive development of animals, and its main contents include: insects, frogs, birds, sexual reproduction, and asexual reproduction. The summary is comprehensive and meticulous, suitable as review materials.
- Recommended to you
- Outline
![Establishment and implementation of safety management system of safety management elements [Practical version]](https://edrawcloudpublicus.s3.amazonaws.com/work/5594687/2024-5-15/1715767013/thumb.png?x-oss-process=image/resize,w_300,m_lfit)
Establishment and implementation of safety management system of safety management elements [Practical version]
- 33
![Establishment and implementation of safety management system of safety management elements [Practical version]](https://edrawcloudpublicus.s3.amazonaws.com/work/5594687/2024-5-15/1715772547/thumb.png?x-oss-process=image/resize,w_300,m_lfit)
Establishment and implementation of safety management system of safety management elements [Practical version]
- 24
![Rupture discs for safety facilities [Regulations Summary]](https://edrawcloudpublicus.s3.amazonaws.com/work/5594687/2024-5-15/1715773286/thumb.png?x-oss-process=image/resize,w_300,m_lfit)
![Safety facility safety valve [working principle version]](https://edrawcloudpublicus.s3.amazonaws.com/work/5594687/2024-5-15/1715773418/thumb.png?x-oss-process=image/resize,w_300,m_lfit)
![Safety valves for safety facilities [Regulations Summary]](https://edrawcloudpublicus.s3.amazonaws.com/work/5594687/2024-5-15/1715773446/thumb.png?x-oss-process=image/resize,w_300,m_lfit)
Security assessment and testing
basic concept
Security assessment and testing
Security assessment and testing encompasses a broad range of current and point-in-time testing methods used to identify vulnerabilities and their associated risks.
Basic objectives of T&E
T&E can measure system and capability development progress
T&E's expertise is in providing early awareness of system strengths and weaknesses during the development process during the system life cycle.
Provide knowledge to assist in risk management during development, production, operation and maintenance of system capabilities.
Ability to identify technical, operational and system deficiencies prior to system deployment in order to develop appropriate and timely corrective actions.
T&E strategy
The content of the test and evaluation strategy is the functionality that applies to the acquisition/development process, the capability requirements provided, and the capabilities required to drive the technology.
tend to
Awareness required to manage risk
Empirical data for validating models and simulations
Testing of technical performance and system maturity
Determination of operation and maintenance efficiency, adaptability and survivability
Target
Identify, manage and reduce risks
Assessment and Testing Strategies Assessment and Test Strategies
T&E strategy
The role of strategy
Awareness required to manage risk
Empirical data for validating models and simulations
Testing of technical performance and system maturity
Determination of operational effectiveness, adaptability and survivability.
Systems Engineers and Security Experts
Work with sponsoring organizations to establish or evaluate T&E strategies to support program acquisition/development;
Provide T&E methods that can deeply manage risks;
Monitor T&E processes and changes that may be required;
Evaluate and provide recommendations for suitability of test plans and procedures for development testing or operational testing;
It is further expected to understand the rationale behind acquisition/development procedures for establishing and executing T&E strategies;
Expect to understand the specific activities of T&E testing, such as interoperability testing;
Enterprises need to establish working groups
This group is often called the T&E integrated product team and consists of T&E experts, customer user representatives, and other stakeholders;
The T&E strategy is a living document and the team is responsible for updating it when needed;
The team needs to ensure that the T&E process includes acquisition strategies and that the system meets operational requirements based on the capabilities used;
Log review
Logs related to computer security
For example, routing log analysis is helpful in identifying security incidents, policy violations, fraudulent behaviors, and operational problems.
Log function
Conduct audits and forensic investigations;
Support internal investigations;
Establish a baseline;
Identify operational trends and identify long-term issues;
challenge
Need to balance limited log management resources with continuously generated log data
Log production and storage
Different log sources
Inconsistent log content, format, timestamp, etc.
Mass generation of log data
Need to protect the integrity, confidentiality and availability of logs
Ensure security, system and network administrators analyze log data regularly and effectively.
Log management policies and procedures
Define logging requirements and goals
Develop clearly defined mandatory and recommended requirements for log management activities
Including log generation, delivery, storage, analysis and disposal
Integration and support log management requirements and recommendations
Management should provide necessary support
Logging requirements and recommendations should be generated along with the resources and detailed analysis techniques required to implement and maintain logging
Protection of original logs
Send a copy of network traffic logs to a central device
Prioritize Log Management
Optimize logs and requirements, based on perceived organizational risk reduction and the resources and expected time required to perform log management.
Establish log management responsibilities and roles
Establish and maintain log management architecture
A log management architecture encompasses the hardware, software, network, and media used to generate, transmit, store, analyze, and process logs.
Designing a log management framework should consider the current and future needs of the management framework as well as independent log sources across the organization.
Centralized log server and log data storage
The amount of log data that needs to be processed,
network bandwidth,
Online and offline data storage
Data security requirements
Time and resources required by staff to analyze logs
Provide appropriate support to all employees with their log management responsibilities
Administrators of the system should receive adequate support;
Including disseminating information, providing training, providing a point of contact for questions and answers, Provide specific technical guidance, corresponding tools and documentation, etc.
Standard log management process
Log administrator responsibilities
Monitor log status
Monitor log rotation and archiving processes
Check log system patches, obtain, test and deploy patches
Make sure the log source system keeps its clock synchronized
When policy or technology changes, reconfigure logging if necessary
Logging and reporting log exceptions
Ensure log integration storage, such as a security information and event management system (SIEM)
Log management process
Configure log sources, perform log analysis, Initiate responses to identified cognitions and manage long-term storage of logs.
Log source
Web-based and host-based software
anti-virus software
IDS and IPS systems
remote access software
Web proxy
Vulnerability management software
Authentication server
router
firewall
Network Access Control (NAC)/Network Access Protection (NAP) Server
Operating system event and audit logging
application based
Client request and server response
account information
Usage information
important operational activities
challenge
Log distribution properties, log format inconsistencies, and log capacity all pose log management challenges.
The integrity, confidentiality and availability of logs must be protected
Organizations also need to protect the availability of their logs.
The confidentiality and integrity of archived logs also need to be protected.
System and network administrator
Need to analyze logs
Unable to effectively perform log analysis
did not receive good training
no tool support
Log analysis is often reactive
Many log analyzes require real-time or near-real-time
key practices
Optimize log management appropriately across the organization
Supervision log management policies and procedures
Establish and maintain security log management infrastructure
Provide appropriate support for log management for all employees
synthetic trading (Synthetic Transactions) Vs. real deal (Real Transactions)
Real user monitoring RUM
Web monitoring methods designed to capture or analyze every transaction of every user on the web or app
Also known as real-user measurement, real-user metrics, or end-user experience monitoring (EUM) end-user experience monitoring
passive monitoring Passive monitoring method
Rely on web monitoring services to continuously obtain system activity and track its availability, functionality and sensitivity.
Monitor mode
bottom up bottom-up forms
Capture server-side information to reconstruct user experience;
top down top-down client-side RUM
Client RUM can directly see how users interact with the application and how they experience it
Focus on site speed and user satisfaction, providing in-depth insights into optimizing application components and improving overall performance.
synthetic trading
proactive monitoring Proactive or pre-responsive monitoring approach
Contains a way to run scripted transactions using an external agent instead of a web application.
These scripts measure user experience against typical user experiences such as how users search, view products, log in, and pay.
Synthetic Monitoring is a lightweight and low-level proxy, but is necessary for the web browser to run to process the JavaScript, CSS, and AJAX calls that occur on the page.
Does not track actual user sessions
A known set of steps are performed at a known location at regular intervals, with predictable performance. Better than RUM for assessing site availability and network issues.
Selenium
http://docs.seleniumhq.org
Fully controllable by the client full control over the client
Unlike RUM driven by sandbox JAVA scripting, details can be obtained more objectively
Microsoft System Center Operations Management Software
Web site monitoring
Database monitoring
TCP port monitoring
Increase value
7x24 system availability monitoring Monitor application availability 24 x 7.
Find out if the remote site is reachable
Understand the performance impact of third-party services on business application systems
Monitor SaaS application performance and availability
Test B2B web sites using SOAP, REST, or other web services
Monitor the availability of critical databases
Measuring Service Level Agreements (SLAs)
As compensation for real user monitoring during periods of low business traffic
Establish performance baselines and conduct performance trend analysis
Code review and testing
Common causes of vulnerabilities vulnerabilities are caused
Inappropriate programming patterns such as missing checks affecting user data, SQL injection (input validation)
Mismatch of security infrastructure: excessive access control or weak encryption configuration;
Functional errors in the security infrastructure: access control enforcement facilities themselves do not restrict access to the system;
Logical errors in the implementation process: For example, the user places an order without paying
Common software vulnerabilities Common Software Vulnerabilities
Top 25
■ Insecure Interaction between Components
■ Risky Resource Management
■ Porous Defenses
testing technology testing techniques
White box (structural testing/open box testing) vs. black box testing (functional testing/closed box testing)
Dynamic testing VS. Static testing Dynamic Testing vs. Static Testing
Manual vs. Automation Manual Testing vs. Automated Testing
Security testing considerations security testing considering
attack surface
App types
quality
Support technology
Performance and resource utilization
planning and design phase During Planning and Design
Architecture security review
Prerequisite: Architectural Model
Pros: Verification architecture deviates from security standards
Threat Modeling -
Prerequisite: Business use case or usage scenario
Identify threats, their impacts and potential controls specific to the software product development process.
STRIDE model
Application development stage During Application Development
Static Source Code Analysis (SAST) and Manual Code Review (static code analysis and manual code review)
Analyze application source code to find weaknesses without executing the application.
Prerequisite: Application source code
Benefits: Detects insecure programming, outdated code bases, and misconfigurations
Static Binary Code Analysis and Manual Binary Review (static binary code analysis and manual binary review)
Compiled applications are analyzed to find weaknesses, but the applications are not executed.
Imprecise and does not provide fix recommendations.
Executable in test environment Executable in a Test Environment
Manual or automated penetration testing
Send data like an attacker and discover their behavior.
Advantages: Identify a large number of vulnerabilities in deployed applications;
Automated vulnerability scanning
Test apps that use system components or configurations that are known to be unsafe.
Set pre-attack mode and analyze system fingerprints.
Advantages: Detects known vulnerabilities
Fuzz Testing Tools Fuzz Testing Tools
Advantages: Detects crashes of critical applications (e.g. caused by buffer overflows).
Send random data (often in much larger chunks than the application expects) to the application input channel to cause the application to crash.
Testing in system operation and maintenance
Software testing characteristics
It is recommended to use passive security testing technology to monitor system behavior and analyze system logs
During software maintenance, patch testing is very important
Patches require thorough security testing
Software testing has its limitations and it is impossible to complete 100% testing
Testing all program functions and all program code does not mean that the program is 100% correct!
Test plans and test cases should be developed as early as possible in the software development phase
Code-based testing Code-based testing
Software security testing generally starts with unit-level testing and ends with system-level testing.
Structured testing ("white box" testing) Unboxing test
Structured testing is mainly testing at the module level;
The level of structured testing can be measured as the percentage of software structures being tested as an indicator;
Test cases are based on knowledge gained from source code, detailed design specifications, and other development documents;
Common structural coverage Test coverage (for white box)
Statement Coverage statement coverage
Decision (Branch) Coverage Decision coverage
Condition Coverage condition coverage,
Multi-Condition Coverage Multi-Condition Coverage
Loop Coverage loop coverage
Path Coverage path coverage
Data Flow Coverage data flow coverage
Functional testing or “black box” testing/closed box testing (functional testing or blackbox testing)
Test cases are defined based on what the software product is specifically supposed to do;
The main challenges for test cases are the intended use and functionality of the program as well as the internal and external interfaces of the program;
Functional testing should be applied to any level of software testing, from unit testing to system level testing
Software functional testing functional software testing
Normal Case Common use case
Output Forcing output requirements,
Robustness Robustness
Combinations of Inputs Input combinations
weakness weakness
It is difficult to link the completion criteria of structured and functional testing to the reliability of the software product;
statistical testing method statistical testing
Provides high structural coverage
Generate random data from a distribution defined based on the operating environment (intended use, dangerous use, or malicious use of the software product);
Generate large amounts of test data and use it to cover specific areas or areas of concern, providing increased likelihood of identifying single and extremely rare operating conditions that were not anticipated by designers and testers;
Software change testing
reason
Debug discovered problems and correct them;
new or changing needs;
Discover design modifications that can be implemented more efficiently or effectively;
Purpose
Changes have been implemented correctly
No adverse effects on other parts
Regression analysis and testing
Regression analysis: determine the impact of changes, based on relevant documentation (Software specifications, design specifications, source code, etc.) review, It is also used to identify and apply necessary regression tests;
Regression testing: Use the previous program to execute correct test cases, Compare existing results to previous results to identify unintended consequences of software changes.
Rigorous and complete testing (V-shaped model)
Unit (module or component) level testing unit test
Integration level testing Integration testing (testing the interfaces between modules)
Top-Down
Bottom-Up
sandwich method
System level testing System test
Security and privacy (e.g., encryption capabilities, security log reporting)
Performance issues (e.g., response time, reliability measurements)
Response under stress conditions (e.g., behavior under maximum load)
Operation of internal and external security features
Effectiveness of recovery steps
Usability;
Performance under different configurations
Documentation accuracy
Compatibility with other software
Acceptance Test
UAT (User Acceptance Testing)
QAT (Quality Assurance Testing)
Testing considerations
System testing will present the behavior of the software product in a specific environment;
Test procedures, test data, and test results should be documented in a manner that permits pass/fail decisions;
Enterprise software products are complex, and the testing of software products needs to maintain consistency, completeness and effectiveness;
Software maintenance tasks are different from hardware maintenance. Hardware has preventive maintenance measures but software does not;
Requires valid verification of changes
Other maintenance tasks
Software Validation Plan RevisionSoftware Validation Plan Revision,
Anomaly Evaluation exception verification,
Problem Identification and Resolution Tracking Problem identification and resolution tracking,
Proposed Change Assessment Request a change assessment
Task Iteration task iteration,
Documentation Updating Documentation Update
Use cases and misuse cases
Use cases
Test cases from the perspective of normal users using the system
Misuse case misuse case:
Use cases from the perspective of someone with malicious intent on the system.
Positive testing method Positive testing
Make sure the application works as expected and fail if errors are found during forward testing
Negative testing Negative testing
Make sure your app handles invalid input or unexpected user behavior appropriately.
interface test
Purpose
It mainly checks whether the different components of the application or system development are in sync with each other;
From a technical level, interface testing is mainly used to determine different functions such as Whether data is transferred as designed among the different elements of the system.
Used to ensure software quality
Penetration testing
Simulate the process of attacking a network and its systems at the request of the owner
Penetration testing types take a back seat to the organization, its security goals, and management’s goals
Penetration testing reports should be submitted to management
A letter of authorization authorizing the scope of testing should be signed (written authorization from management is required)
step
Discovery, collecting information about the target (discovery)
Discover the version of the operating system CentOS 5.1
dig
DNS footprinting tool, gathering information during the discovery phase
Enumerate, perform port scanning and resource identification methods
nbtstat belongs to enumeration, which is in the enumeration phase, not in the discovery phase.
Vulnerability exploration, identifying vulnerabilities in identified systems and resources
Vulnerability testing categories
human vulnerability
physical vulnerability
System and network vulnerabilities
exploit, attempt to exploit a vulnerability to gain unauthorized access
Report to management and submit reports and safety recommendations to management
Classification
Black box testing, zero understanding, the penetration team tests without understanding the test goals
Gray box testing, testing based on knowing some information related to the test goal
White box testing, testing based on understanding the essence of the target
Penetration testing team classification
0 knowledge
Don't know anything about the goal
partial knowledge
partial knowledge of the target
all knowledge
Fully understand the target's situation
Example: War Dial
Dial a range of phone numbers to find available modems
Some organizations still use modems for communication backup
War dialing is a form of intrusion into an organization's network designed to circumvent firewalls and intrusion detection systems (IDS)
War dial attacks involve attempts to gain access to an organization's internal computing and network resources through dial-in access, This brings convenience to hackers.
self test
Admins test within organization via war dial method Unauthorized installation of modem, Re-educate casual installers in your organization.
Other vulnerability types
Kernel flaws Kernel flaws
There are vulnerabilities in the kernel layer
Countermeasure: Ensure that security patches to the operating system are deployed promptly after adequate testing in the environment to keep the vulnerability window as small as possible.
Buffer overflowsBuffer overflows
Countermeasures: good programming practices and development education, source code for automatic scanners, Enhanced programming library to use strong language typing to disallow buffer overflows
Symbolic links Symbolic links
Hackers redirect symbolic links to gain unauthorized access.
Countermeasure: When writing programs (especially scripts), there is no way to avoid the full path of the file
File descriptor attacks File descriptor attacks
A file descriptor is a number used by many operating systems to represent open files in a process. Certain file descriptor numbers are universal and have the same meaning to all programs.
If a program uses file descriptors unsafely, it may allow an attacker to exploit the program's privileges to provide unexpected input to the program, or cause output to go to an unexpected place.
Countermeasures: Good programming practices and development education, automated source code scanners, and application security testing are all ways to reduce this type of vulnerability.
Race conditions race conditions (In multi-process and multi-thread environment)
Failure to eliminate environmental vulnerability factors before executing procedures
Can allow an attacker to read or write unexpected data or execute unauthorized commands
Countermeasures: Good programming practices and development education, automated source code scanners and application security testing
When a parent process creates a child process, attention should be paid to race conditions and minimum authorization.
File and directory permissions File and directory permissions
Improper file or directory permissions
Countermeasure: File integrity check, also check the permissions of expected files and directories
Collect Security Process Data Collect Security Process Data
Information security continuous monitoring (ISCM) information security continuous monitoring
ISCM
Awareness used to define current information security, vulnerabilities and hazards to support organizational information security risk decisions;
Any efforts and processes used to support information security monitoring across the organization must begin with a sophisticated ISCM strategy defined by senior leadership;
ISCM strategy
It is built on a clear understanding of organizational risk tolerance and helps companies set priorities and manage risk consistency across the organization;
Include metrics to provide a true meaning of security posture at all organizational levels;
Ensure the continued effectiveness of all security controls;
Verify compliance with information security requirements driven by organizational mission/business functions, national laws and regulations, guidance, guidance standards;
All organization IT assets are informed and visibility into asset security is assisted;
Ensure knowledge and control of changes to organizational systems and environment;
Maintain awareness of threats and vulnerabilities.
NIST SP 800-137
Information Security Continuous Monitoring (ISCM) of Federal Information Systems and Organizations
Features
ISCM programs are established to collect data based on preset measurement indicators, making it easier to exploit information changes in part through security controls that have been implemented.
Organization-wide risk monitoring cannot be effectively achieved by relying on separate manual processes or solely automated processes:
Develop ISCM strategy process
Define ISCM policies based on risk tolerance to maintain asset visibility, vulnerability awareness, threat information updates, and mission/business impact;
Establish an ISCM plan to determine measurement indicators, status monitoring frequency, control evaluation frequency and establish an ISCM technical architecture;
Implement ISCM programs and collect safety-related information required for measurement, evaluation and reporting. Automate collection, analysis and reporting wherever possible;
Analyzes all collected data and reports findings to determine appropriate responses. It is necessary to collect additional information to clarify or supplement existing surveillance data;
Respond to findings through technical, administrative, and operational activities that include curtailing activity or accepting, transferring/sharing, or avoiding/rejecting.
Review and update the ISCM program, adjust ISCMC policies and mature measurement capabilities to increase asset visibility and vulnerability awareness, enable more organizational information security architecture and data-driven controls, and increase organizational resilience.
Metrics
Definition and content of measurement indicators
Measurements include all security-related information from assessment and monitoring produced by automated tools as well as manual procedures, organized into meaningful information to support decision-making and reporting requirements.
Metrics should be driven by specific goals to maintain or improve the security posture.
Metrics develop system-level data that make sense of mission/business context or organizational risk management;
Measurement metrics security-relevant information obtained from different times and with varying levels of latency.
examplesexamples
Principles for establishing measurement indicators NIST SP 800-137
Security Control VolatilitySecurity Control Volatility
System Categories/Impact Levels System Categories/Impact Levels
Security Controls or Specific Assessment Objects Providing Critical FunctionsSecurity Controls or Specific Assessment Objects Providing Critical Functions
Security Controls with Identified Weaknesses Security Controls with Identified Weaknesses
Organizational Risk Tolerance Organizational Risk Tolerance,
Threat InformationThreat Information
Vulnerability Information
Risk Assessment ResultsRisk Assessment Results
Reporting RequirementsNotification requirements
factors of change
Risk Management Framework (RMF) as a key step in an organization's risk management framework
Provide organizational officials with the ability to access security-related information on demand, Make timely risk management decisions including authorization decisions.
Internal and Third-Party Audits
Audit requirements
Legal and regulatory requirements
For example, the U.S. Federal Information Security Management Act (FISMA Federal Information Security Management Act) requires federal agencies to conduct self-audits and independent third-party audits of the organization's information security system at least once a year;
Information security professionals need to understand the requirements outlined in legal standards to provide protection, but complete protection or risk management of information systems is rarely achieved;
Information security professionals must ensure proper scope and tailoring to obtain the appropriate number of controls at the correct level for the target system
Compliance
business driven
In order to focus on core competencies, reduce expenses and deploy new application functions more quickly, organizations Continuous outsourcing of systems, business processes and data processing to service providers;
The organization frequently updates the outsourcing service provider's monitoring process and management and outsourcing risks;
Historically, many organizations have relied on Statement on Auditing Standards (SAS) 70 reports to gain comfort with outsourcing activities. However, SAS 70 focuses on internal control over financial reporting (ICOFR) rather than system availability and security.
The SAS70 report was retired in 2011 and replaced by the SOC (Service Organization Control) report;
Internal Audit (First Party Audit)
Organizations have their own audit team to enable continuous improvement of your organization's security posture.
advantage
They are familiar with the work processes within the organization.
high working efficiency
Able to accurately identify the most problematic points
It can make the audit work more flexible, and the management can constantly change the audit needs, allowing the audit team to adjust the audit plan accordingly.
shortcoming
Their access to information systems is relatively limited
There is the possibility of a conflict of interest that impedes objectivity.
third party audit
advantage
Has audited many different information systems and has rich experience
They are unaware of the dynamics and politics within the target organization. will remain objective and neutral
shortcoming
high cost
You still have to deal with the added resources to organize them and oversee their work even with an NDA.
Lack of understanding of the inner workings of the organization.
Statement on Auditing Standards (SAS) 70
specifically on risks related to internal control over financial reporting (ICOFR) internal control over financial reporting
In the past, most organizations using outsourced services required SAS70 reporting, But from a financial perspective alone, many users began to focus on security, usability, and then privacy;
SOC report
As an alternative to SAS70 reporting, use SOC reporting;
SOC 1 report
Contrary to the SOC 1/SOC 2 report, the SOC 1 report requires the service provider to describe his system and define the control objectives and controls related to internal control over financial reporting;
SOC1 reports generally do not cover services and controls that are not relevant to user ICOFR reporting.
SOC1 reports began to be used by many service providers for core financial processing services in 2011;
SOC 2/SOC 3 Report
Period of time reports covering design and operating effectiveness Reports covering design and operating effectiveness over a period of time
The principles and guidelines specifically define security, availability, confidentiality, processing integrity and privacy;
Providing Beyond Internal Control over Financial Reporting (ICOFR);
Based on the needs of service providers and their users, a modular approach can be used to facilitate SOC2/SOC3 reports can cover one or more principles;
If the IT service provider has no impact or has an indirect impact on the user's financial system, the SOC2 report will be used;
SOC3 reports are generally used to inform a wide range of users of their assurance levels without disclosing detailed controls and test results;
Audit Management Control
Account management
Add account
1. New employees should read and sign the Acceptable Use Policy (AUP)
2. Confirm employees' compliance with AUP by auditing employee accounts.
3. Retrieve the list of new employees from the human resources department and compare it with the employee accounts opened in the system by the IT department to ensure the effectiveness of communication between the two departments.
4. The policy should also clarify the account expiration time, password policy, and the scope of information that users can access.
Modify account
Issues with using privileged accounts
1. Normally, each computer user account has local administrator rights, and server management and maintenance personnel have domain administrator rights, both of which are risky.
2. The addition, deletion or modification of accounts should be strictly controlled and documented.
3. Implement hierarchical management of administrator account permissions.
4. Use privileged accounts only when necessary, and use restricted accounts for daily maintenance work.
Suspend account
1. Suspend accounts that are no longer in use.
2. Obtain a list of short-term and long-term leavers from the Ministry of Human Resources, Compare the account status with the IT system and delete the accounts of employees who have been out of work for a long time. And suspend the use of accounts for short-term leavers.
Backup verification
type of data
user files
There are inconsistencies between multiple versions and backup location files, as well as situations that violate data retention principles.
database
Ensure database backups can be restored to production when needed.
Email data
Considering the limited storage space of the server, medium and large emails are not backed up; the email server should be combined with electronic evidence collection methods
Authentication method
Test data backup situation
Analyze various scenarios of threats that the organization may face
Develop a plan to test all mission-critical data backups in each scenario
Leverage automation to minimize auditor workload and ensure testing occurs regularly
Minimize the impact of the data backup test plan on business processes so that it can be performed regularly
Ensure coverage so that every system is tested, but not necessarily within the same test.
Record results so you know what worked and what needed work
Correct or improve any issues you documented.
Disaster recovery and business continuity
Test and revise business continuity plans
Test type
Checklist Test Checklist Test
Distribute copies of the BCP to managers of each key business unit
Ask them to review portions of the plan that are appropriate for their department
Structured Walk-Through Test Structured Walk-Through Test
As a tool for planning initial testing, but not the best way to test
Target
Ensure key personnel from all areas are familiar with BCP
Ensure the planned response organization's ability to recover from disasters
Features
Meeting room contact, low cost
Simulation Test Simulation Test
Contains more content than the tabletop walkthrough
Participants select specific event scenarios to be applied in BCP
Parallel Test Parallel Test
Involves moving real people to other sites in an effort to establish communications and implement real recovery procedures in compliance with DRP regulations
The primary purpose is to determine whether critical systems can be restored at an alternate processing site if personnel apply the procedures specified in the DRP.
Full-Interruption Test Full-Interruption Test
The riskiest test
Simulate as real a scene as possible
Cannot affect business
Security training and security awareness training
The difference between safety training and safety awareness education
Safety training refers to the process of teaching a skill or set of skills that enables people to better perform specific functions.
Security awareness training is the process of exposing people to security issues so that they can recognize them and respond better to them.
social engineering
In the context of information security, it is the process of manipulating individuals to cause them to perform actions that violate security protocols.
Online Safety Online Safety
Phishing is social engineering through digital communications.
A driver download is an automated attack that is triggered simply by visiting a malicious website.
Data protection
culture
Key performance and risk indicators
Key Performance Indicators (KPIs)
Key performance indicators (KPIs) measure how effectively an organization performs a given task at a given time
Key Risk Indicators (KRI)
A measure of the risk inherent in performing a given action or set of actions.
Report
An effective report must be written with a specific audience in mind.
Technical Reports
A technical report should be more than the output of an automated scanning tool or a generic inventory.
Elements of a good audit technical report
threaten
vulnerability
Probability of vulnerability being exploited
influence level
Suggestions for Improvement
executive summary
Reports to senior leaders should be concise and easy to understand, focusing on key findings and recommendations
Risk is best described quantitatively, and one way to quantify risk is to express risk in monetary terms.
Common risk measurement methods
costing method
The most common calculation method
Income calculation method
The general formula is that value equals expected (or potential) income divided by the capitalization rate.
market calculation method
The market approach is based on determining how many other companies are paying for similar assets in the market.
management review
A management review is a formal meeting where senior organizational leaders determine whether the management system is effectively achieving its objectives.
Before management review
Management reviews should be carried out periodically, otherwise the inspection risk will change from proactive to reactive.
The frequency of meetings should also be synchronized with the length of time required to implement the decisions of the previous review.
review input
A key input is the results of relevant audits, both external and internal.
In addition to making the audit report available for review, it is also necessary to produce an executive summary that describes the key findings, the impact on the organization, and recommended changes (if any). Remember to write these summaries in business language.
Another input is a list of problems found during the last review and their rectifications.
Customer Reviews
The final input is a suggestion for improvement based on all other inputs.
management action
Senior leaders consider all input, often asking targeted questions, and then decide to approve, reject, or defer recommendations.
Senior management will decide whether to accept the recommendations in their entirety, accept the comments but make minor changes, reject the comments, or ask the ISMS team to re-gather more supporting data or redesign the proposed options.