198 7.2 Security Testing
for the assurance and validation provided by effective information security
testing. In general, risk increases with system accessibility and the sensitivity
of data and processes. For example, a high-risk system is one that is
remotely accessible and allows direct access to funds, fund-transfer mecha-
nisms, or sensitive customer data. Information-only Web sites that are not
connected to any internal organization system or transaction-capable ser-
vice are lower-risk systems. Information systems that exhibit high risks
should be subject to more frequent and rigorous testing than low-risk sys-
tems. Because tests only measure the security posture at one point in time,
frequent testing provides increased assurance that the processes in place to
maintain security over time are functioning.
7.2.1 Testing Concepts and Application
A wide range of test options for security controls exists today. Some
options address only discrete controls, such as password strength. Others
address only technical configuration, or may consist of reviews against
standards. Some tests are overt studies to locate vulnerabilities. Other tests
can be designed to mimic the actions of attackers. In many situations,
management may decide to perform a range of tests to give a complete pic-
ture of the effectiveness of the organization’s security processes. Manage-
ment is responsible for selecting and designing tests so the test results, in
total, support conclusions about whether the security control objectives
are being met.
7.2.2 Testing Risks to Data Integrity, Confidentiality,
and Availability
Management is responsible for carefully controlling information security
tests to limit the risks to data integrity, confidentiality, and system availabil-
ity. Because testing may uncover nonpublic customer information, appro-
priate safeguards to protect the information must be in place. Contracts
with third parties to provide testing services should require that the third
parties implement appropriate measures to meet the objectives of section
501(b) of the GLBA. Management also is responsible for ensuring that the
employees and contract personnel who perform the tests or have access to
the test results have passed appropriate background checks, and that con-
tract personnel are appropriately bonded. Because certain tests may pose
more risk to system availability than other tests, management is responsible
for considering whether to require the personnel performing those tests to