Your organization has system administrators that have management control of server systems that contain highly confidential data which is critical to business continuity. What type of test is most appropriate to reveal your risk?
C. Third Party
D. None of the Above
I came across this question posted by Alvin Prina in Luke’s group. I interpret and summarize the question as “Management controls are implemented to protect highly confidential data. What type of test is most appropriate to reveal your risk?” and assume the objective is to reveal risk, part of risk management. I prefer Option A. Internal.
Testing as a Security Assessment Method
Security risk comes from either the vulnerabilities of assets or the ineffectiveness of controls. Security assessments and audits help assess risk. There are three common security assessment methods: examination, interviewing, and testing. Testing is conducting tests to compare the actual result to the expected result.
“Internal tests” are conducted by first-party, external tests can be second-party or third-party, and third-party refers to independent parties free from conflict of interest. Internal stakeholders conduct internal tests; if the audit department does it, it is part of the security audit or first-party audit specifically.
Internal tests typically will be more comprehensive and substantial. Internal assessors understand more about management controls and are more trustworthy in getting access to confidential data.
- Third parties may disclose non-compliant items, also treated as risk, but providing assurance is one of the most important objectives.
- Besides, third-party audits seldom conduct testing; for example, the auditor typically reviews the tape restore log but seldom requires the auditee to perform the actual restore. Penetration tests can be conducted as part of security assessment, but the question is about “management control.” So, pentesting in this case may not be effective.
- Compared with internal auditors, the third-party auditors’ capability of revealing risk might be limited. Even if a third-party auditor signed the NDA, the auditee would disclose confidential information as minimum as possible.
- Moreover, a third-party auditor is subject to being cheated and becomes a risk itself or audit risk. For a real example, a CPA traveled to a big Asia country to audit an auditee. The auditee established a fake “bank,” provisioned fake “systems,” hired fake “clerk,” and cooked “books.” Everything is faked, but it’s too challenging for a foreign CPA to be aware of the “fakeness” during the short period of auditing.
NIST SP 800-115
Rakhi proposed a good perspective of internal and external based on NIST SP 800-115, which defines internal/external tests in terms of “Network Perimeter,” e.g., Internet or LAN.
Since the question mentioned “management controls” and “third-party,” I think the author’s perspective is on “who conducts the testing.” As a result, “internal tests” in this question should be conducted by first-party, external tests can be second-party or third-party, and third-party refers to independent parties free from conflict of interest. So, external and internal may be less related to networks but related to who conducts tests.