7.2 Security Testing 197
Chapter 7
cess. It is inevitable that these backup and recovery processes will involve
additional costs. Critical parts of the business process, such as the IT sys-
tems, may require particularly expensive backup strategies to be imple-
mented. Where the costs are significant they should be approved
separately, with specific detailed budgets for the establishment costs and
the ongoing maintenance costs. This section of the BCP will contain a list
of the testing phase activities and a cost for each. It should be noted when-
ever part of the cost is already incorporated within the organization’s over-
all budgeting process.
7.1.8 Training Core Testing Team for Each
Business Unit
For the testing process to proceed smoothly, it is necessary for the core test-
ing team to be trained in the emergency procedures. This is probably best
handled in a workshop environment and should be presented by the per-
sons responsible for developing the emergency procedures. Before conduct-
ing a test event, it is imperative to conduct training for the core testing
team. This testing team should be representative of each business unit. This
section of the BCP should contain a list of the core testing team for each of
the business units who will be responsible for coordinating and undertaking
the business recovery testing process. It is important that clear instructions
regarding the simulated conditions be given to the core testing team, and
that the team knows that the instructions must be observed.
7.2 Security Testing
Organizations should gain assurance of the adequacy of their risk mitiga-
tion strategy and implementation by:
Basing their testing plan, test selection, and test frequency on the risk
posed by potentially non-functioning controls
Establishing controls to mitigate the risks posed to systems from test-
ing
Using test results to evaluate whether security objectives are met
Information security is an integrated process that reduces information
security risks to acceptable levels. The entire process, including testing, is
driven by an assessment of risks. The greater the risk, the greater the need
198 7.2 Security Testing
for the assurance and validation provided by effective information security
testing. In general, risk increases with system accessibility and the sensitivity
of data and processes. For example, a high-risk system is one that is
remotely accessible and allows direct access to funds, fund-transfer mecha-
nisms, or sensitive customer data. Information-only Web sites that are not
connected to any internal organization system or transaction-capable ser-
vice are lower-risk systems. Information systems that exhibit high risks
should be subject to more frequent and rigorous testing than low-risk sys-
tems. Because tests only measure the security posture at one point in time,
frequent testing provides increased assurance that the processes in place to
maintain security over time are functioning.
7.2.1 Testing Concepts and Application
A wide range of test options for security controls exists today. Some
options address only discrete controls, such as password strength. Others
address only technical configuration, or may consist of reviews against
standards. Some tests are overt studies to locate vulnerabilities. Other tests
can be designed to mimic the actions of attackers. In many situations,
management may decide to perform a range of tests to give a complete pic-
ture of the effectiveness of the organization’s security processes. Manage-
ment is responsible for selecting and designing tests so the test results, in
total, support conclusions about whether the security control objectives
are being met.
7.2.2 Testing Risks to Data Integrity, Confidentiality,
and Availability
Management is responsible for carefully controlling information security
tests to limit the risks to data integrity, confidentiality, and system availabil-
ity. Because testing may uncover nonpublic customer information, appro-
priate safeguards to protect the information must be in place. Contracts
with third parties to provide testing services should require that the third
parties implement appropriate measures to meet the objectives of section
501(b) of the GLBA. Management also is responsible for ensuring that the
employees and contract personnel who perform the tests or have access to
the test results have passed appropriate background checks, and that con-
tract personnel are appropriately bonded. Because certain tests may pose
more risk to system availability than other tests, management is responsible
for considering whether to require the personnel performing those tests to
Get Business Continuity and Disaster Recovery for InfoSec Managers now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
