Domain 6 Security Assessment and Testing 12%
6.1 Design and validate assessment, test, and audit strategies
- Internal (e.g., within organization control)
- External (e.g., outside organization control)
- Third-party (e.g., outside of enterprise control)
- Location (e.g., on-premise, cloud, hybrid)
6.2 Conduct security controls testing
- Vulnerability assessment
- Penetration testing (e.g., red, blue, and/or purple team exercises)
- Log reviews
- Synthetic transactions/benchmarks
- Code review and testing
- Misuse case testing
- Coverage analysis
- Interface testing (e.g., user interface, network interface, application programming interface (API))
- Breach attack simulations
- Compliance checks
6.3 Collect security process data (e.g., technical, and administrative)
- Account management
- Management review and approval
- Key performance and risk indicators
- Backup verification data
- Training and awareness
- Disaster recovery (DR) and Business Continuity (BC)
6.4 Analyze test output and generate report
- Remediation
- Exception handling
- Ethical disclosure
6.5 Conduct or facilitate security audits
- Internal (e.g., within organization control)
- External (e.g., outside organization control)
- Third-party (e.g., outside of enterprise control)
- Location (e.g., on-premise, cloud, hybrid)