Cissp d6 Slides
Cissp d6 Slides
Cissp d6 Slides
2
Course Agenda (continued)
3
Domain 6
Security Assessment and Testing
4
Domain Objectives
1. Name primary methods for designing and validating test and
audit strategies.
2. Choose appropriate strategy to design and validate test and
audit functions that support business requirements.
3. Describe how to maintain logs related to security control
testing and prepare logging systems for relevant review and
protection.
4. Classify the various security control testing techniques related
to application development and delivery.
5
Domain Objectives (continued)
5. Select the relevant security processing data administration that
supports testing and assessment related to account management
and process approval.
6. Apply the appropriate security control testing techniques for use
internally and externally for an organizational system.
7. List essential elements of and differentiate between training and
awareness that are aligned with organizational governance,
compliance, policy, and capabilities.
8. Recognize relevant procedures to protect sensitive information
when utilizing test data.
6
Domain Objectives (continued)
9. Define the process of a service provider audit.
10. Associate the appropriate use of an audit type based upon the
business support requirements.
7
Domain Agenda
Domain Review
8
Module 1
Design and Validate Assessment, Test, and
Audit Strategies
9
Module Objectives
10
Internal
11
External
12
Third-Party
13
Module 2
Security Control Testing
14
Module Objectives
15
Vulnerability Testing
16
Penetration Testing
PHASES:
• Planning (can be overt/covert)
• Discovery
• Attack
• Reporting
17
Log Reviews
18
Key Logging Practices
19
Log Security
20
Synthetic Transactions
21
Code Review and Testing
22
Case: Team Consultation for Critical Incident
INSTRUCTIONS
1. Working in small teams, select one team member to share a critical incident that
caused a degradation or disruption in service.
2. Do a post mortem of the incident by all other team members holding an interview.
The interview should take no more than six minutes.
3. Following the interview, each team member takes three minutes to reflect on what
type of testing may have been prescribed to expose the vulnerability that led to
the critical incident. Select a methodology from this module and write it down on a
sheet of paper.
4. Fold your answer and hand to the member who shared the incident, then have
that member read aloud the answers.
23
Module 3
Security Process Data
24
Module Objectives
25
Account Management
26
Management Review and Approval
ISO 27001:2013 outlines concerns for management reviews of an
information system by stating:
27
Key Performance and Risk Indicators
Committee of Sponsoring Organizations of the Treadway
Commission (COSO) December 2010 report on How Key Risk
Indicators can Sharpen Focus on Emerging Risks states that:
29
Module 4
Test Output and Generate Report
30
Module Objectives
31
Protection of Test Data
32
Module 5
Conduct or Facilitate Security Audits
33
Module Objectives
34
Service Organization Control (SOC) 2
SOC 3
The Trust Services Principles and Criteria are specifically
defined for
• Security
• Availability
• Confidentiality
• Processing integrity
• Privacy
35
SOC 1
36
SOC 1 and 2
Type 1 Type 2
Report on the fairness of the Report on the fairness of the
presentation of management’s presentation of management’s
description of the service description of the service
organization’s system and the organization’s system and the
suitability of the design of the suitability of the design and operating
controls to achieve the related control effectiveness of the controls to
objectives included in the description achieve the related control objectives
as of a specified date. included in the description throughout
a specified period.
37
Module 6
Domain Review
38
Domain Summary
39
Domain Review Questions
40
Answer
41
Domain Review Questions
A. Internal testing
B. Nocturnal testing
C. External testing
D. White-box testing
42
Answer
43
Domain Review Questions
A. SOC 2 Type II
B. SOC 2 Type I
C. SOC 1 Type II
D. SOC 1 Type I
45
Answer
46
Domain Review Questions
A. SOC 5 Type II
B. SOC 3
C. SOC 5 Type II New Client
D. SOC 5 Type I Existing Client
47
Answer
48
Domain Review Questions
49
Answer
50
Domain Review Questions
A. SOC 2 Type II
B. SOC 2 Type I
C. SOC 1 Type II
D. SOC 1 Type I
51
Answer
52
Domain Review Questions
A. Misuse case
B. Penetration test
C. Use case
D. Vulnerability assessment
53
Answer
54
Domain Review Questions
55
Answer
ISO 27002 states that a backup policy should define retention and
protection requirements. None of the other statements are true
concerning what is stated in ISO 27002.
56
Domain Review Questions
57
Answer
58
Domain Review Questions
59
Answer
60