You are planning for a security assessment project to ensure compliance and security. Vulnerability assessment of information systems and the capability of incident response shall be conducted. Which of the following approaches or methodologies best meets your requirements?
A. Threat Modeling with STRIDE
B. NIST RMF (Risk Management Framework)
C. Open Source Security Testing Methodology Manual (OSSTMM)
D. Risk assessment
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. Open Source Security Testing Methodology Manual (OSSTMM).
There are three typical assessment methods used in a security assessment: interviewing, examination, and testing. The requirement of the question, in fact, can be met by a double-blind pentesting. OSSTMM is one of the pentesting methodologies that direct the protesting activities.
There is no consistent definition of methodology and approach. According to the Google dictionary, methodology refers to “a system of methods used in a particular area of study or activity,” and approach is “a way of dealing with a situation or problem.” Generally speaking, the spirit of an approach or methodology lies in the specific or structural way to solve a problem.
Risk assessment typically will not be regarded as a methodology or a specific approach. It can be inconsistently defined. In ISO 31000 or ISO 27005, risk assessment specifically comprises three tasks: risk identification, risk analysis, and risk evaluation. However, risk assessment and risk analysis can be used interchangeably in NIST guidelines. In the CISSP exam outline, the topic is even stated as “risk assessment/risk analysis.”
NIST FARM is a framework that deals with risk at three tiers: organization, missions/business processes, and information systems. RMF addresses risk at the tier of information systems. It’s helpful or directive at a higher level but not specific enough to direct the security assessment or pentesting activities.