Security Assessment, Audit, and Testing


Security Assessment

NIST CSRC Glossary

A security assessment is the testing and/or evaluation of the management, operational, and technical security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for an information system or organization.

NIST SP 800-115

An information security assessment is the process of determining how effectively an entity being assessed (e.g., host, system, network, procedure, person—known as the assessment object) meets specific security objectives.

Three types of assessment methods can be used to accomplish this—testing, examination, and interviewing.

  • Testing is the process of exercising one or more assessment objects under specified conditions to compare actual and expected behaviors.
  • Examination is the process of checking, inspecting, reviewing, observing, studying, or analyzing one or more assessment objects to facilitate understanding, achieve clarification, or obtain evidence.
  • Interviewing is the process of conducting discussions with individuals or groups within an organization to facilitate understanding, achieve clarification, or identify the location of evidence. Assessment results are used to support the determination of security control
    effectiveness over time.

Security Audit

There are three common approaches or methods to conduct security assessment: examination, interviewing, and testing. A security audit is one form of security assessment. It emphasizes the independence or externality of the security assessment. Security testing is just one of the three methods to conduct a security assessment. The CISSP exam outline doesn’t categorize them in a systematic way. It emphasizes testing mostly, introduces some review techniques (part of examination), while ignores all interview techniques.

An external audit can be divided into two categories: 2nd party and 3rd party. 2nd party usually refers to the audit that a customer exercises the audit rights written in the contract over the supplier in a supply chain. There are interests between them. 3rd party audit emphasizes an independent auditor conducting the audit, e.g. SGS, BSI, or the big four. The official guide from Sybex treats external audit as a 3rd party audit.

An internal audit (1st party audit) is typically conducted by the independent audit department that may be overseen by the audit committee under the board of directors. If you hire a friend, probably as a consultant, he or she may conduct a security assessment for you, but we won’t call it an audit.


Leave a Reply