Control Testing, Evidence, and Reporting for Security and Privacy

This chapter connects protection controls to evaluation and reporting. The core skill is to determine how a control should be tested, what evidence demonstrates operation, and how findings should be documented and monitored.

In This Chapter

• Types of Security Assessments (Vulnerability Scans, Penetration Testing) explains common testing approaches and their purposes.
• Gathering Evidence of Control Operation covers how testers support a conclusion that a control is functioning.
• Remediation Tracking and Ongoing Monitoring addresses how weaknesses are followed through to resolution.
• Documenting Findings in Audit or Advisory Reports explains how deficiencies and conclusions are communicated.

How to Use This Chapter

• Read this chapter when the issue is not what the control is, but how to evaluate it.
• Focus on the link between test procedure, evidence obtained, and conclusion reached.
• Revisit it whenever an ISC question asks how to support or report a control-testing result.

In this section

• Vulnerability Scans, Penetration Tests, and Other Security Assessments
  Vulnerability scans, penetration tests, and other security assessments.
• Evidence of Control Operation and How It Is Gathered
  Evidence of control operation and how it is gathered.
• Remediation Tracking, Re-Testing, and Ongoing Monitoring
  Remediation tracking, re-testing, and ongoing monitoring.
• Documenting Findings in Audit and Advisory Reports
  Documenting findings in audit and advisory reports.