Huh Chapter 11: Security testing, a fajita fanfic

Security Testing

Security Assessments: protecting the organization against cyberattacks is a critical part of achieving the goal of internal control

How to:

•follow the established risk management framework

•assess and respond to threats on a continuous basis

Risk Management Framework: outlines a comprehensive process to manage risk by applying the following four components.

How to: FARM

•establish a risk framework: defining the environment in which risk based decisions are made to form a strategy helping companies identify assumptions, constraints, and tolerance.

•assess risk: helps identify threats

•respond to risk: DEAR

Develop

Evaluate

Appropriate response

Risk response implemented

•Monitoring

managing risk in an organization requires intricate planning and participation at all levels from senior mgmgt to frontline employees. NIST provides a framework.

Engagements and reporting: involve addressing the second compost like performing a risk assessment and testing controls resulting in Security Assessment Report to managemnt

•outlined in NIST

how to:

•define assessment procedures

Assessment methods: examination, interviewing, testing,

•support assessment methods by identifying the tools, techniques and methodologies needed to assess risk, risk assessment assumptions, constraints, roles and responsibilities, assessment data collection and processing methods, communication methods, how assessment is conducted, frequency

Security Assessment Reports: issued as evidence of controls complying, or not complying with stated security goals and objectives. Findings, recommendations, identified vulnerabilities.

•outlined in NIST

Contains

•determination statements: made throughout the report that assigns a grade- "S, satisfied" or "O, other than satisfied"

•summary of findings: introductory portion with synopsis of key findings and recommended actions

•system overview: outlines the information management system being assessed

•assessment methodology: explains the techniques and procedures utilized to perform the assessment

•Security assessment findings: discusses the gaps and deficiencies discovered during the assessment

•recommendations

•action plan: final section of a roadmap that covers steps to be taken

Security Assessment evaluators: level of assurance in line with the AICPA service organizations control

done by system auditors, developers, assessors, owners, integrators, inspectors.

How to:

•consider quality and maturity of a company risk management process and tailor assessment according to NIST

•results will help identify deficiency and response and prioritize and monitor and budget better

Security Assessment evidence: from assessments current or previous, document system development articles and operational activities

product and system assessment are examination, often conducted by third party to evaluate the security functions and their configuration settings.

Communication of security knowledge and awareness

super important everyone is on the same page and the only way to do this is with training on a regular basis And at all stages of an employees job and tailored to the job role. Is mandated or encouraged usually.

Effect: minimizes cyber risk and damages

Types of training: on management, specialized IT personnel, and all other employees.

•fully outsourced

•in house

•combo

Methods of training:

•individual or group session

•live or on demand, in person or remote

May include:

•quizzes, examinations, simualtions

Must have: adequate documentation of course planning and delivery methods should also be performed for consistency and evaluation purposes.

Organizational job role specific to security awareness:

•management: designs and evaluates security awareness programs or coordinates with third party vendors hired to develop and or perform the security awareness training

•specialized IT personnel: carry out the policies set forth in security awareness programs

•all other employee: follows security procedures based on their specific job roles

Successful awareness programs:

•phishing simulations: summarized with metrics and analyzed over time to evaluate the employee awareness

click rate: percentage of employees that clicked on a phising email link

reclick rate: percentage of employees who failed the first campaign who click again

report rate: percentage who report

No response rate: percentage who ignore the email and did not respond in any way

reply rate: percentage of employees who replied

•program supporters and champions: leading to the effort of implementing a security platform is often needed.

employee consultations/ how often they are utilized

security behaviors with and without champions

champion density vs security behaviors: measures the degree of correlations and linear relationship of champion activity and density among different departments and security behavior

•regular employee engagement

percentage of employees who completed training

average time taken

referral

questions from training

follow up after training

social media feedback

•metrics to measure program success like amount of money, resource, and corrective action plan for any deficiency discovered.