CISSP®: Security Assessment and Testing

In this course, you build upon the skills learned in previous CISSP domains and learn to put them all to use when validating the effectiveness of your controls.
Course info
Rating
(14)
Level
Intermediate
Updated
Oct 12, 2016
Duration
2h 3m
Table of contents
Course Overview
Assessment and Testing Strategies
Security Control Effectiveness Testing
Security Process Data Collection
Test Result Analysis
Third-party Assessment
Information Security Continuous Monitoring
Description
Course info
Rating
(14)
Level
Intermediate
Updated
Oct 12, 2016
Duration
2h 3m
Description

Your controls have been selected and implemented, users have been educated, and everything seems to be in order. Even if this is the case, odds are that there are still unidentified risks in your environment. If you want to be certain that your controls are working as intended, you will need to perform risk assessments and penetration testing. The 6th domain of the CISSP CBK addresses this concern with topics such as information assurance, testing strategies including penetration testing, log reviews, and third party assessment. In this course, CISSP®: Security Assessment and Testing, you build upon the skills learned in previous CISSP domain and learn to put them all to use when validating the effectiveness of your controls. First, you'll learn about security assessment and test strategies. Next, you'll learn about security controls validation, security and related data collection, as well as analyzing test results. Finally, the course will wrap up by covering third-party risk assessments. By the end this course, you should be familiar with a broad spectrum of topics that are covered within the sixth domain of the CISSP.

About the author
About the author

Lee Allen is a penetration tester by trade. Lee has authored four books about penetration testing and has created several Pluralsight courses.

More from the author
Threat Modeling: The Big Picture
Beginner
1h 5m
27 Jun 2017
Section Introduction Transcripts
Section Introduction Transcripts

Course Overview
Hello. My name is Lee Allen, and welcome to my course CISSP: Security Assessment and Testing. I am a certified information system security professional currently employed as cyber exploitation engineer. I have authored three books about penetration testing and am passionate about teaching security-related topics. If you want to be certain that your controls are working as intended, you will need to perform risk assessments and penetration testing. The sixth domain of the CISSP CBK addresses this concern with topics, such as information assurance, testing strategies including penetration testing, and third-party assessments. Some of the major topics that we will cover include security assessment and test strategies, validating security controls, collecting security-related data, analyzing test results, and third-party assessments. By the end of this course, you should be familiar with a broad spectrum of topics that are covered within the sixth domain of the CISSP. I hope you'll join me on this journey to learn the foundational security assessment and testing topics within the CISSP: Security Assessment and Testing course at Pluralsight.

Security Control Effectiveness Testing
Organizations are constantly striving to secure their environments. This constantly evolving need is driven by various factors including regulatory requirements, the high costs associated with security breaches or the negative reputational impact that may occur if the organization were to be compromised. In this course module, you will learn of several techniques that can be used to test the effectiveness of security controls. Security control effectiveness testing provides you with the opportunity to validate that the controls the organization has implemented are actually worth all of the time, money, and effort that has been put into them. This course module begins with an explanation of vulnerability assessment and then moves on to a discussion about penetration testing. This is followed by introductions to various other techniques and concepts that are important, such as synthetic transactions, code review, interface testing, and misuse testing.

Security Process Data Collection
Some organizations expend tremendous effort in securing their environments. In order to ensure that the resources are being used effectively, you will need to continually collect information about your security processes. In this module, we will discuss various topics that assist with determining if processes and security procedures are working as intended. You will start by learning about key performance indicators and how they can be used to speak the same language as leadership. You will also be introduced to concepts, such as management review, collecting training and awareness-related metrics, account management, disaster recovery and business continuity were concerns in regards to collecting security data, and last, but not least, verifying that your backups are working as intended. So let's not waste any time and jump right in with the review of key performance indicators.

Test Result Analysis
Hi, and welcome to the Test Result Analysis module of Pluralsight's Security Testing and Assessment course. The security industry has reached the point to where we have almost too much information. There are so many tools that are generating data that it becomes an exercise of too much data and not enough time. This is especially true for certain areas of expertise, such as threat assessment, vulnerability management, or penetration testing. In order to deal with this information overload, organization's will need to take a measured and well-thought out approach on how the information from various sources and reports will be consumed. In this module, you will have the opportunity to review how this challenge is faced in certain areas of security testing. You will see how some of the techniques are used when performing vulnerability management and then move on to take a look at how test result analysis is presented when creating penetration testing reports. You will also be presented with an outline of the types of information that are commonly gathered as part of a penetration testing report. So let's get started with a vulnerability assessment results analysis.

Third-party Assessment
For ages, organizations have relied on the services provided by third-party vendors. In addition to this, the prevalence of cloud services is growing at an alarming rate and organizations are moving their data and even critical infrastructure into the cloud. With this in mind, it is critical that the organizations fully understand the risk that is associated with interacting with our third-party vendors. In this course module, you will learn of useful third-party assessment techniques that will assist in determining the security impact of dealing with third-party vendors. I will discuss the statement of auditing standards followed by providing you with a review of what the statement of standards for attestation engagements #16 is and why it is needed. This statement is often referred to as SSAE16. The module will then be concluded with a listing of areas that should be considered when auditing third parties.

Information Security Continuous Monitoring
Information Security Continuous Monitoring is a necessity in today's security climate. New breeches are reported at an increasing rate and simply implementing security controls and hoping for the best is just not going to cut it. Continuous monitoring allows organizations to react quickly to changing threat landscapes. Information security continuous monitoring is commonly referred to as ISCM. In this module, we will review the guidelines set within the National Institutes of Standards and Technology, Special Publication 800-137, which covers everything a security professional would ever need to know about ISCM. You will start by learning about why there is a need for ISCM, the six steps associated with creating an ISCM strategy.