CISSP: Domain 6 - Security Testing and Assessment - Module 1 Course | Cloud Academy (2023)

Welcome back to the Cloud Academy presentation of the CISSP Exam Preparation Review Seminar. This next module is going to be Domain Six, Security Assessment and Testing. Here we we have our Domain Agenda: Design and Validate Assessment and Testing Strategies, Conduct Security Control Testing, Collect Security Process Data, and Conduct or Facilitate Internal and Third-Party Audits. These will be the topics we'll explore as we delve into security assessment and testing.

So the question must be asked, "Why test?" Today there is virtually no business of any size that can operate without a computer. We all pretty much take this for granted. All computers operate using software in the form of operating systems, applications, and of course, the ever-present internet. For every business, a computerized function tracks sales and the entire revenue cycle. For every business, a computerized function tracks costs, payments, and taxes. Thus it should be abundantly clear that a computer is critical to the entire supply chain.

On the more negative side, it is well-known that nearly all software contains flaws of some type, on some level. It is also well-known that hostile actors expend great effort looking for these to exploit them. Therefore testing should be conducted to find and fix those flaws before the adversaries find them and exploit them. So what we're looking for is we're looking for increased assurance, both for the operations and for the life cycle of the system.

Operational Assurance focuses on the features and the architecture of the system in question. In the architectural sense, we're looking at architectural and processing integrity, trusted recovery, covert channels, and a host of other architectural features that add to or subtract from the reliability and performance of the system. This requires periodic feature and functionality testing to ensure that correct operations continue to be correct.

Software development and functionality issues will arise at almost every juncture to ensure that the software quality continues high and that flaws are kept to a relative minimum. And we have to have consistently performed and documented change management and maintenance processes, to ensure that we're watching out for these things and maintaining them to the highest levels we can obtain.

For life cycle assurance, we're looking to ensure that the system is designed, developed, and maintained with formally controlled standards that enforce protection at each stage in the system's life cycle. This requires that we do periodic security testing and trusted distribution to ensure that what we build gets to its destination and gets installed in a way that prevents corruption from it in transit. It means that we have to do configuration management to ensure that the features are what they are supposed to be, and they continue to function as they are supposed to function. And it means that we have to have change control, more of an evolutionary process that we use to manage the system over its product roadmap and its life cycle.

So we're going to dig into Module One where we design and validate assessment and test strategies. Security assessment and testing covers a broad range of ongoing and point-of-time based testing methods used to determine vulnerabilities and the associated risk. Mature system development life cycles include security testing and assessment as part of the development, operations, and disposition phases of a system's life. The fundamental purpose of test and evaluation is to provide knowledge to assist in managing the risks involved in developing, producing, operating, and sustaining systems and their capabilities.

Testing and evaluation measures progress in both system and capability development. These also provide knowledge of systems capabilities and limitations for use in improving the system performance, and for optimizing system use in operations. Thus, expertise in these areas must be brought to bear at the beginning of the system life cycle, to provide earlier learning about the strengths and weaknesses of the system under development. The goal is early identification of technical, operational, and system deficiencies, so that appropriate and timely corrective actions can be developed prior to fielding the system.

(Video) CISSP Exam Cram Full Course (All 8 Domains) UPDATED - 2022 EDITION!

The creation of testing evaluation strategies involves planning for technology development, and this in course includes risk, evaluating the system design against mission requirements, and identifying where competitive prototyping and other evaluation techniques fit in this process. The content of test and evaluation strategy is a function of where it is applied in the acquisition or development process. The requirements for the capability to be provided and the technologies that drive the required capability. A test and evaluation strategy should, therefore, lead to the knowledge required to manage risk, the empirical data required to validate models and simulations, the evaluation of technical performance and system maturity, and a determination of operational effectiveness, suitability, readiness, and survivability.

In the end, the goal of the strategy is to identify and manage and mitigate risk which requires identifying the strengths and weaknesses of the system or service being provided to meet the goal of the acquisition or development program. Ideally, the strategy should drive a process that confirms compliance with the initials, the Initial Capabilities document, instead of discovering later that functional performance, or non-functional goals, are not being met. The discovery of problems late in the test and evaluation phase can have very significant cost impacts as well as substantial operational repercussions.

Now, historically, test and evaluation consisted of testing a single system, an element of that system or a component, and it was carried out in a serial or sequential manner. When tests would be performed, data would be obtained and then the system would move to the next test event, often at a new location, with a different test environment. Similarly, the evaluations themselves were typically performed in a sequential manner with determinations of how well the system met its required capabilities established with a combination of test results obtained from multiple sites with differing environments. Confusing to say the very least. The process was time-consuming and very inefficient, and with the advent of centralized collaboration strategies, it became insufficient to the need. In large measure, this was due to an approach to acquisition and development that did not easily accommodate the incremental addition of capabilities. Creating and maintaining an effective test evaluation strategy under those conditions would have been difficult to say the very least.

A test and evaluation strategy is an absolute necessity today because of the addition of capabilities via incremental upgrades, which is now very much the norm, and the shift to network-centric construct where data is separated from the applications. Data is posted and made available before it is processed. Collaboration is employed to make data understandable and there is a rich set of network nodes and pathways that provide the required supporting infrastructure. Thus, a properly planned and executed test and evaluation strategy can provide information about risk, risk mitigation, and empirical data, to validate the models and simulations, evaluate technical performance and system maturity, and determine whether systems are operationally effective, suitable, and survivable.

So, software development is part of a system design. Software, as we know, is what makes all of these things work. And software is only as good as the requirements, the design, the build, and the overall execution of the project. Software requirements are typically required and they're derived from the overall system requirements and designed for those aspects in the system that are to be implemented using the software. These need to be documented requirements and the specifications that represent the user's needs and intended uses for which the system itself is being developed.

So how is software different from hardware? A lot of this would seem pretty obvious. Hardware by itself gives us predictable behavior and is fairly simplistic, at least as a machine is thought of. It does wear out, and, as we know, computing hardware, in particular, becomes obsolete rather quickly. It is superseded on a regular cycle by faster, cheaper versions of itself, and it requires complex manufacturing arrangements. Compared to that, software is not a physical entity, it does not wear out, its effects and its products change with the speed and the ease of the software's development.

Malfunctions, of course, are traceable to errors made during the design and development of the software. Unlike machines, software branches, just like trees do, but machines don't. And seemingly insignificant changes can create unexpected and very significant problems elsewhere.

Now, when we look at our design for our system, both hardware and software have specific things that they have to meet by way of performance objectives. In designing our software, we want to imbue it with various properties. We want to be sure that these particular ones are designed and built into it from the very beginning. We want it to have increased resistance, which means it's been built to withstand attempts to subvert normal operations within pre-determined design limits. We want it to be robust, that is, that it has the strength to function and perform correctly under a range of conditions without complete failure. We want it to have resilience, which means it has the flexibility of functionality such that operations can continue even after an attack or an error's impact. It needs to be recoverable, that is, it has the structure and features that facilitate trusted recovery. It should have the quality of redundancy, with compensating capabilities to ensure continued operation in the event of component failure. And ultimately, building up to this, it needs to have reliability, that is, it will perform in a manner that reflects the necessary qualities of trust and assurance.

So with all of these points in mind, we're going to develop strategies for assessment and testing, so that we know exactly what to expect and what the limitations are of our software. A proper strategy, correctly executed, should provide us with valuable insight regarding the risk and possible steps to mitigate it. It should provide us empirical data that will serve to validate the assumptions, the models, and the simulations. It should provide us with evidence of technical performance and operational readiness, and give us indicators of the operational effectiveness, suitability, and survivability.

(Video) CISSP Domain 6 | Security Assessment and Testing | How to Pass CISSP Exam

Now, a proper strategy will verify the degree of trust. Now, trust is defined as all protection mechanisms working to process sensitive data for all types of users and maintain the appropriate level of protection. It means that there will be consistent enforcement of policy under all normal operating conditions.

Along with that will be assurance. Assurance is defined as the level of confidence that the system will act in a correct and predictable manner in all normal computing situations, such that known inputs will always produce expected outputs under all the normal operating conditions to be expected.

Now, the role of the systems engineer and the security professional. Working together, these two roles should create or asses the test and evaluation strategies in support of the acquisition and development programs. They should recommend test and evaluation approaches based on their knowledge of what is to be acquired or to be built. When these plans are put together they need to be able to evaluate the test plans and procedures, so that they have high confidence that they will elucidate the characteristics that they're testing for and that the test will produce a result showing that the system and its software will meet the design specifications. They have to understand the rationale behind the requirements of the acquisition and development programs, so that they can prove the validity of the testing strategy, and that the system will meet the requirements.

Now normally, a working group is put together and this is based on the concept that the more brains you have, the more eyes you have on the problem, the better and more level all of this stuff will be. The working group should evaluate as a group how to update the test and evaluation strategy if one exists, or how to create one if it doesn't. As a group they will ensure that the test and evaluation processes are consistent with the acquisition strategy, having a much broader and more complete understanding of this strategy. They will ensure that the user's capability-based operational requirements are being met by the system, and the working group, rather than a single individual, will provide greater visibility, a broader understanding, and a greater lack of bias when it comes to the tests and the results.

The first one is verification. Through software testing, whether it's in static or dynamic analysis, we're going to be able to verify that the software will perform as designed, as intended. To do this, we will have the software testing as part of the strategy. That testing will involve static and dynamic analysis. We will look at the code and the documentation being produced, and we will walk through at a functional level, and then, where necessary, at the code level, to ensure that everything that should be present is, or to identify the gaps that might be present and organize ways to fill those gaps.

Alongside verification is validation, and validation is not the same as verification; it is a compliment to it, because through validation methods it develops a level of confidence that the software or system meets all the requirements and user expectations as intended, and hopefully, as documented.

About the Author

(Video) CISSP Modular Training - Security Assessment and Testing

CISSP: Domain 6 - Security Testing and Assessment - Module 1 Course | Cloud Academy (1)

Ross LeoInstructor



(Video) CISSP Certification Course – PASS the Certified Information Security Professional Exam!



Learning Paths


Mr. Leo has been in Information System for 38 years, and an Information Security professional for over 36 years. He has worked internationally as a Systems Analyst/Engineer, and as a Security and Privacy Consultant. His past employers include IBM, St. Luke’s Episcopal Hospital, Computer Sciences Corporation, and Rockwell International. A NASA contractor for 22 years, from 1998 to 2002 he was Director of Security Engineering and Chief Security Architect for Mission Control at the Johnson Space Center. From 2002 to 2006 Mr. Leo was the Director of Information Systems, and Chief Information Security Officer for the Managed Care Division of the University of Texas Medical Branch in Galveston, Texas.

(Video) CISSP All 8 Domains - Complete Training - Full Course | Urdu | Hindi |

Upon attaining his CISSP license in 1997, Mr. Leo joined ISC2 (a professional role) as Chairman of the Curriculum Development Committee, and served in this role until 2004. During this time, he formulated and directed the effort that produced what became and remains the standard curriculum used to train CISSP candidates worldwide. He has maintained his professional standards as a professional educator and has since trained and certified nearly 8500 CISSP candidates since 1998, and nearly 2500 in HIPAA compliance certification since 2004. Mr. leo is an ISC2 Certified Instructor.


What does security assessment and testing include? ›

It provides a risk assessment solution that includes a variety of tools for diagnosing, testing, monitoring, and reporting on security risks, such as intrusion detection, intrusion prevention and response, vulnerability assessment, detection and mitigation, threat detection systems, risk management, and risk mitigation ...

What is domain 7 Cissp? ›

Domain 7 of the CISSP certification exam covers security operations. This area of CISSP material can be thought of as one of the first lines of defense against cyber threats and exploits. It covers a wide range of security tasks across different areas of information security.

Is security test difficult? ›

Earning a Security+ certification is not easy, but with proper preparation, focused training, and practice, you will achieve it and deliver rewarding results in your job and career. Here are 5 tips to help you prepare for and pass the Security+ exam.

How do I prepare for a security assessment? ›

The 8 Step Security Risk Assessment Process
  1. Map Your Assets.
  2. Identify Security Threats & Vulnerabilities.
  3. Determine & Prioritize Risks.
  4. Analyze & Develop Security Controls.
  5. Document Results From Risk Assessment Report.
  6. Create A Remediation Plan To Reduce Risks.
  7. Implement Recommendations.
  8. Evaluate Effectiveness & Repeat.
May 21, 2022

Will CISSP expire? ›

The CISSP credential is valid for three years; holders renew either by submitting 40 Continuing Professional Education (CPE) credits per year over three years or re-taking the exam. CPE credits are gained by completing relevant professional education.

How do I pass CISSP? ›

Tips To Pass the CISSP Exam
  1. Make sure you know the rules and prerequisites that are involved in this examination.
  2. Understanding CISSP domains and obtaining the knowledge of security is extremely important if you want to crack the examination.
  3. Pick multiple study sources.
Feb 16, 2023

Is CISSP worth? ›

The CISSP certification is extremely valuable, it provides the required knowledge and experience to cyber security professionals that they can implement in their work life. The added benefits that you get from a CISSP certification are unparallel.

What is the hardest security exam? ›

Many consider the hardest security certification to obtain to be the Certified Information Systems Security Professional (CISSP). This certification requires a minimum of five years of experience in the field of information security and passing an extensive exam.

How long should I study for security exam? ›

Most people spend 30 to 45 days preparing for their CompTIA Security+ test, and up to 60 days with no prior IT experience. While this can be considered a guideline to follow, you should ultimately discern how much time you need depending on how well you know the material and your success on practice tests.

What percent do you need to pass security? ›

Unlike many exams, the CompTIA Security+ exam is not scored with a percentage. Instead, you will receive a score somewhere between 100 and 900. The minimum passing score is 750. When viewed as a percentage, this is just above 80%.

Is the security exam worth IT? ›

In many cases, CompTIA Security+ can be the key to getting an entry-level job in IT security. It can even be helpful in landing a help desk role. However, earning this cert is only the first step in starting a career in cybersecurity.

What are the most asked questions at security interview? ›

Top Security Guard Interview Questions
  • What Made You Choose a Security Guard Job?
  • Have You Previously Worked as a Security Guard? ...
  • How Do You Identify Potential Security Breaches or Threats?
  • How Do You Handle Potentially Dangerous Situations?
  • Do You Have Any Experience With Surveillance Equipment?

How many questions is the security exam? ›

The CompTIA Security+ exam has no more than 90 questions. After completing the exam, you will be asked to fill out some optional exit survey information about your study practices and why you decided to get certified. This will consist of about 12 multiple-choice questions.

What should a security assessment plan include? ›

The assessment plan should include sufficient detail to clearly indicate the scope of the assessment, the schedule for completing it, the individual or individuals responsible, and the assessment procedures planned for assessing each control.

What are the three types of security test assessment? ›

Security audits, vulnerability assessments, and penetration tests are three types of security audit assessments. Also, while we use these terms interchangeably, they are different types of tests.

What is the difference between security testing and security assessment? ›

While an assessment establishes the existence of specific security controls, an audit then tests those controls as well.

What are the three stages of a security assessment plan? ›

The three phases necessary for a security evaluation plan are preparation, security evaluation, and conclusion.


1. Security Assessment Goals (CISSP Free by
2. Identity And Access Management | CISSP Training Videos
3. CISSP Domain 1 - Introduction to Information Security - 6 - Compliance
(Security Professionals Academy - ISSS)
4. Risk Assessment (CISSP Free by
5. CISSP Exam and Course Review - New Horizons Study Session
(New Horizons)
6. CISSP Domain 7: Securing Provisioning of Resources Through Configuration Management
(Cloud Academy)
Top Articles
Latest Posts
Article information

Author: Arielle Torp

Last Updated: 23/07/2023

Views: 5842

Rating: 4 / 5 (61 voted)

Reviews: 84% of readers found this page helpful

Author information

Name: Arielle Torp

Birthday: 1997-09-20

Address: 87313 Erdman Vista, North Dustinborough, WA 37563

Phone: +97216742823598

Job: Central Technology Officer

Hobby: Taekwondo, Macrame, Foreign language learning, Kite flying, Cooking, Skiing, Computer programming

Introduction: My name is Arielle Torp, I am a comfortable, kind, zealous, lovely, jolly, colorful, adventurous person who loves writing and wants to share my knowledge and understanding with you.