Domain 1, Security and Risk Management, and domain 6, Security Assessment and Testing, are the two domains that focus on security assessment and testing. According to ISC2, the Security and Risk Management domain has a 16% weight on the exam, and the Security Assessment and testing domain is worth 11%. That means security assessment and testing represents 27% of the test. To prepare for these two domains it is imperative to understand the security assessment program.
The three major components of a security assessment program are:
The security test
The security assessment
The security audit
The Security Test
The security test assesses the security posture of the system by verifying that implemented controls work as intended. The overall purpose of a security test is to identify flaws in the security mechanisms within the system infrastructure. The system owners and security testers need to take the security requirements into consideration in order to identify which controls to test. During a security test, scanning tools such as Nessus and Wireshark could be used, penetration tests could be executed, or other manual assessment attempts could be made. Some controls cannot be evaluated with automated measures, so these security scanning tools may not identify all potential weaknesses. They are focused on the logically identifiable ones. These scanning tools also have a tendency to report false positives. To combat this, the testers may need to create manual test procedures for the remaining controls that need evaluating. Along with the security requirements, the system owners and testers also need to take into consideration items that could affect the scheduling or timing of security tests. Security testing can be cumbersome on the system and its resources so it is not logical to perform testing during times of high usage. Questions they should ask include:
When are the testing resources available? What is the criticality of the system and its components? When is the system in use? When does the test need to be completed to fulfill compliance needs?
These questions are important to ask and have answered, so testing isn’t performed during times that the system is in high demand or is needed to perform critical functions. It is also important to understand scheduling concerns because security testing is not just performing the test, but also writing the report. It can take days, weeks or maybe even months to compile a report depending on the findings and size.
The Security Assessment
The security assessment is a risk assessment. This assessment is the review used to identify system vulnerabilities and threats and it also makes suggestions for ways to remediate them. Security assessments are focused on vulnerabilities and their potential impact. There are three methods used to perform a security assessment:
The reviewing method is a more passive method. It consists of a review of the policies and procedures in place to try and determine potential vulnerabilities.
The examination method is more technical than the reviewing method. This is a technical review of the infrastructure, firewalls, routers, IP tables, IDSs, monitoring software, etc., are all examples of items that will be examined. Often, information assessed during the review method comes in handy.
The testing method is performing security tests that are used to identify vulnerabilities and suggest appropriate countermeasures.
CISSP Training – Resources (InfoSec)
The Security Audit
The security audit is the evaluation process. It is normally performed by an outside organization and is used to ensure that security controls are truly implemented and working as expected. The audit is normally a manual assessment of the security controls.
For the security assessment portion of the exam, it is also beneficial to understand the C-I-A triad, and the security control categories.
The C-I-A triad is the confidentiality, integrity, and availability triad. Confidentiality represents the efforts to protect information from unintended exposure. Integrity ensures that the information maintains it accuracy for its lifetime. When in transit, integrity ensures that it was not altered by a man in the middle attack. Availability refers to the processes used to ensure that information is available when needed. In the field of cybersecurity, most actions take place to protect one or all three areas of the triad. Security controls are no exception. There are seven categories of security controls; their definitions are:
Corrective Controls – used to limit the potential damage if a security incident occurs.
Detective Controls – used to identify security incidents in progress.
Legal/regulatory or compliance controls – laws and policies
Preventive Controls – implemented to prevent security incidents or violations, like a security breach, from happening.
Physical Controls – tangible items to enforce security, like fences, locks, doors, etc.
Procedural Controls- managerial or administrative types of processes. An example would be security awareness training or the incident response plan.
Technical Controls – the implemented logical controls, like the logical access controls, firewalls, authentication.
Make sure you have a strong understanding of all of these elements before attempting the exam. To give you an example of the types of questions that may be asked, there are two samples below.
An example of a risk management question is:
Sarah is the system administrator of XYZ organization. She has been instructed to install a new firewall within the network. What control category does this describe?
Another example question:
After performing a risk assessment XYZ decided to implement a new IDS to try to avoid potential breaches. What type of risk management strategy is this?
These are two examples of test questions that are similar to ones on the test. If you struggled answering these, make sure you review your study information that relates to the two domains. Once you have mastered the information, the best approach is to take practice exams, and answer multiple example questions daily. The tricky part of the CISSP exam is not just knowing the information, but understanding the way in which questions are asked.