Focus on service organization controls relevant to internal control over financial reporting. For internal use and available to the organization
System and Organization Controls 1 (SOC1)
Assess the organization’s controls that affect the security (CIA), and privacy of information stored in a system. Results are confidential and normally only shared outside the organization under NDA
System and Organization Controls 2 (SOC2)
Assess the organization’s control that affects the security (CIA), and privacy of information stored in a system but the results are intended for public disclosure
System and Organization Controls 3 (SOC3)
Reports provide the auditor’s opinion on the description provided by management and the suitability of the design of the controls. Only cover a specific point and time. This can be thought of as a documentation review.
SOC Type I Reports
Reports go further and also provide the auditor’s opinion on the operating effectiveness of the controls. The auditor actually confirms that the controls are functioning properly. Covers an extended period of time at least 6 months. This can be viewed as a traditional audit because they will be verifying that the controls function properly.
SOC Type II Reports
Provides the attackers with detailed information about the system they target like IP addresses and system version number. This allows more complete test coverage and simulates an insider threat.
White/Crystal Box Testing
Some information is provided to testers, but they are also charged with finding other information.
Gray Box Testing
Does not provide attackers with any information prior to the attack. Simulates an external attacker trying to gain access to information about business and technical environment before engaging in an attack.
Black Box Testing
Requirements for bodies providing audit and certifications of information security management systems.
ISO/IEC 27006
- Discovery or Reconnaissance
- Scanning and Probing
- Exploitation
- Post Exploitation
5 Reporting
Pen Testing Phases
Gather information regarding the target(s)
Discovery or Reconnaissance
Utilize gathered information to probe for vulnerabilities and identify entry points
Scanning and Probing
Utilize approved methods to exploit vulnerabilities and attempt to gain access
Exploitation
Continue the attack by attempting exploits using access gained
Post Exploitation
Document and present report on actions taken, exploits achieved, suggested remediations
Reporting
Tool used to scan a network or system for a list of predefined vulnerabilities such as system misconfiguration, outdated software, or lack of patching
Vulnerability Scanning
- Identification
- Analysis
- Responses
- Validation
- Reporting
Vulnerability Lifecycle
Performed by the organization’s internal audit staff where the goal is to assess internal controls, identify areas for improvement, ensure compliance with internal policies
Internal Audit
performed by someone outside the organization where the goal is to provide an independent assessment of compliance with corporate policies and/or regulatory standards.
External Audit
Performed by an independent outside auditing firm where the goal is to ensure compliance with specific requirements, assess performance against external standards
Third-Party Audit
Provides a naming system for describing security vulnerabilities
Common Vulnerabilities and Exposures (CVE)
Provides a standardized scoring system for describing the severity of security vulnerabilities.
Common Vulnerability Scoring System (CVSS)
Automated simulated attacks by ethical hackers or dedicated ‘red teams’ to imitate real-world adversary tactics and discover weaknesses before a threat actor finds them. To assess your ability to detect, respond to, and remediate real attacks. They provide hands-on training to your security teams in the best ways to counter
threats
Breach Attack Simulations (BAS)
A common standard used by auditors performing assessments of service organizations with the intent of allowing the organization to conduct an external assessment instead of multiple 3rd party assessments and then sharing the resulting report with customers and potential customers. Example: cloud providers
Statement of Standards for Attestation Engagements document 18
-
Domain 6 Flash Cards41
-
Domain 6 Practice Test Question39
-
6.1 Key Concepts Design and validate assessment, test, and audit strategies26
-
6.2 Key Concepts Conduct Security Controls Test53
-
6.3/6.4 Key Concepts Collect security process data (e.g., technical, and administrative)/Analyze test output and generate report7
-
6.5 Key Concepts Conduct or facilitate security audits3
-
Domain 6 Test Notes26
-
Domain 6 NTK16
