Please enable JavaScript.
Coggle requires JavaScript to display documents.
1 - Building a Security Assessment and Testing Program - Coggle Diagram
1 - Building a Security Assessment and Testing Program
Security tests
(verify that a control is functioning properly)
Automated scans
Tool-assisted penetration tests
Manual attempts to undermine security
Security assessments
(comprehensive reviews of the security of a system, application or other tested environment)
security testing tools, automated scanning, penetration tests
Include as well a review of threat environment, current and future risk
Produces a security assessment report
Can be run internally or externally
Standardized with NIST 800-53A
Security audits
(Security assessment but performed by independent auditors)
Internal audits
Performed by an organization's internal audit staff
External audits
Performed by the big 4
Third-party audit
External auditor
SOC audits
Norms
ISAE 3402 (non-US)
SSAE 18 (US)
Used to share report to companies requesting third-party audits
Engagements
SOC 1
Asses the organization's controls that might impact the accuracy of financial reporting
SOC 2
Assess the organization's controls that affect the security (CIA) and privacy of information stored in a system. SOC 2 results are confidential and are normally only shared outside the organization under NDA.
SOC 3
Assess the organization's controls that affect the security (CIA) and privacy of information stored in a system. However, SOC 3 audit results are intended for public disclosure.
Report types
Type 1 report
Provide the auditor's opinion on the description provided by management and the suitability of the design of the controls. It covers only a specific point in time.
Can be seen as a documentation review
Type 2 report
Go further and provide the auditor's opinion on the operating effectiveness of the controls. Covers an extended period of time (at least 6 months)
Traditional audit: paper review + verification of the control working correctly