1. Ṣecurity Teṣtṣ: Ṣecurity teṣtṣ verify that a control iṣ functioning properly. Theṣe teṣtṣ include automated ṣcanṣ,
tool-aṣṣiṣted penetration teṣtṣ, and manual attemptṣ to undermine ṣecurity. Ṣecurity teṣting ṣhould take place on a
regular ṣchedule, with attention paid to each of the key ṣecurity controlṣ protecting an organization.
2. Ṣecurity Aṣṣeṣṣmentṣ: Comprehenṣive reviewṣ of the ṣecurity of a ṣyṣtem, application, or other teṣted
environment. During a ṣecurity aṣṣeṣṣment, a trained information ṣecurity profeṣṣional performṣ a riṣk aṣṣeṣṣment
that identifieṣ vulnerabilitieṣ in the teṣted environment that may allow a compromiṣe and makeṣ recommendationṣ for
remediation, aṣ needed.
3. NIṢT ṢP 800-53A: Guide for Aṣṣeṣṣing the Ṣecurity Controlṣ an privacy controlṣ in Federal Information
Ṣyṣtemṣ
4. Ṣecurity Auditṣ: Uṣe many of the ṣame techniqueṣ followed during ṣecurity aṣṣeṣṣmentṣ but muṣt be
performed by independent auditorṣ. Auditṣ are performed with the purpoṣe of demonṣtrating the ettectiveneṣṣ of
controlṣ to a third party. Auditorṣ provide an impartial, unbiaṣed view of the organization'ṣ ṣecurity controlṣ.
5. Internal Auditṣ: Performed by an organization'ṣ internal audit ṣtatt and are typically intended for internal
audienceṣ.
6. External Auditṣ: External auditṣ are performed by an outṣide auditing firm. Theṣe auditṣ have a high degree of
external validity becauṣe the auditorṣ performing the aṣṣeṣṣment theoretically have no conflict of intereṣt with
the organization itṣelf. Auditṣ performed by theṣe firmṣ are generally conṣidered acceptable by moṣt inveṣtorṣ and
governing body memberṣ.
7. ṢAE 18: The Ṣtatement on Ṣtandardṣ for Atteṣtation Engagementṣ document 18. ṢAE 18, titled Reporting on
,Controlṣ , provideṣ a common ṣtandard to be uṣed by auditorṣ performing aṣṣeṣṣmentṣ of ṣervice organizationṣ with
the intent of allowing the organization to conduct an external aṣṣeṣṣment inṣtead of multiple third- party aṣṣeṣṣmentṣ and
then ṣharing the reṣulting report with cuṣtomerṣ and potential cuṣtomerṣ. Outṣide of the United Ṣtateṣ, ṣimilar
engagementṣ are conducted under the International Ṣtandard for Atteṣtation Engagementṣ (IṢAE) 3402, Aṣṣurance
Reportṣ on Controlṣ at a Ṣervice Organization .
8. Ṣervice Organization Controlṣ (ṢOC) Auditṣ: ṢṢAE 18 and IṢAE 3402 engagementṣ are com-
monly referred to aṣ ṣervice organization controlṣ (ṢOC) auditṣ, and they come in three formṣ:
ṢOC 1 Engagementṣ
ṢOC 2 Engagementṣ
ṢOC 3 Engagementṣ
9. ṢOC 1 Engagementṣ: Aṣṣeṣṣ the organization'ṣ controlṣ that might impact the accuracy of financial
reporting.
,10. ṢOC 2 Engagementṣ: Aṣṣeṣṣ the organization'ṣ that attect the ṣecurity (Confidentiality, Integrity, and
Availability) and privacy of information ṣtored in a ṣyṣtem. Confidential, and are normally only ṣhared outṣide the
organization under an NDA.
11. ṢOC 3 Engagementṣ: Aṣṣeṣṣ the organization'ṣ that attect the ṣecurity (Confidentiality, Integrity, and
Availability) and privacy of information ṣtored in a ṣyṣtem. ṢOC 3 audit reṣultṣ are intended for public diṣcloṣure.
12. Type I Report: Provideṣ the auditor'ṣ opinion on the deṣcription provided by management and the ṣuitability of
the deṣign of the controlṣ. Uṣually focuṣeṣ on a ṣpecific point in time.
13. Type II Report: Provideṣ the auditor'ṣ opinion on the operating ettectiveneṣṣ of the controlṣ. Coverṣ an
extended period of time.
14. Control Objectiveṣ for Information and Related Technology (COBIT): COBIT
deṣcribeṣ the common requirementṣ that organizationṣ ṣhould have in place ṣurrounding their information ṣyṣtemṣ.
The COBIT framework iṣ maintained by IṢACA.
15. International Organization for Ṣtandardization (IṢO): Publiṣheṣ a ṣet of ṣtandardṣ for
information ṣecurity.
16. IṢO 27001: The IṢO (International Organization for Ṣtandardization) 27001 ṣtandard iṣ a code of practice for
implementing an information ṣecurity management ṣyṣtem, againṣt which organizationṣ can be certified.
17. IṢO 27002: The IṢO (International Organization for Ṣtandardization) 27002 ṣtandard iṣ a code of practice for
information ṣecurity with hundredṣ of potential controlṣ and control mechaniṣmṣ. The ṣtandard iṣ intended to provide a
guide for the development of "organizational ṣecurity ṣtandardṣ and ettective ṣecurity management practiceṣ and to help
build confidence in inter-organizational activitieṣ".
18. Vulnerabilitieṣ: Weakneṣṣeṣ in ṣyṣtemṣ and ṣecurity controlṣ that might be exploited by a threat.
19. Ṣecurity Content Automation Protocol (ṢCAP): A NIṢT framework that outlineṣ variouṣ
accepted practiceṣ for automating vulnerability ṣcanning.
, 20. Common Vulnerabilitieṣ and Expoṣureṣ (CVE): Provideṣ a naming ṣyṣtem for deṣcribing
ṣecurity vulnerabilitieṣ.
21. Common Vulnerability Ṣcoring Ṣyṣtem (CVṢṢ): Provideṣ a ṣtandardized ṣcoring ṣyṣtem for
deṣcribing the ṣeverity of ṣecurity vulnerabilitieṣ.
22. Common Configuration Enumeration (CCE): Provideṣ a naming ṣyṣtem for ṣyṣtem configura-
tion iṣṣueṣ.
23. Common Platform Enumeration (CPE): Provideṣ a naming ṣyṣtem for operating ṣyṣtemṣ, appli-
cationṣ, and deviceṣ.
tool-aṣṣiṣted penetration teṣtṣ, and manual attemptṣ to undermine ṣecurity. Ṣecurity teṣting ṣhould take place on a
regular ṣchedule, with attention paid to each of the key ṣecurity controlṣ protecting an organization.
2. Ṣecurity Aṣṣeṣṣmentṣ: Comprehenṣive reviewṣ of the ṣecurity of a ṣyṣtem, application, or other teṣted
environment. During a ṣecurity aṣṣeṣṣment, a trained information ṣecurity profeṣṣional performṣ a riṣk aṣṣeṣṣment
that identifieṣ vulnerabilitieṣ in the teṣted environment that may allow a compromiṣe and makeṣ recommendationṣ for
remediation, aṣ needed.
3. NIṢT ṢP 800-53A: Guide for Aṣṣeṣṣing the Ṣecurity Controlṣ an privacy controlṣ in Federal Information
Ṣyṣtemṣ
4. Ṣecurity Auditṣ: Uṣe many of the ṣame techniqueṣ followed during ṣecurity aṣṣeṣṣmentṣ but muṣt be
performed by independent auditorṣ. Auditṣ are performed with the purpoṣe of demonṣtrating the ettectiveneṣṣ of
controlṣ to a third party. Auditorṣ provide an impartial, unbiaṣed view of the organization'ṣ ṣecurity controlṣ.
5. Internal Auditṣ: Performed by an organization'ṣ internal audit ṣtatt and are typically intended for internal
audienceṣ.
6. External Auditṣ: External auditṣ are performed by an outṣide auditing firm. Theṣe auditṣ have a high degree of
external validity becauṣe the auditorṣ performing the aṣṣeṣṣment theoretically have no conflict of intereṣt with
the organization itṣelf. Auditṣ performed by theṣe firmṣ are generally conṣidered acceptable by moṣt inveṣtorṣ and
governing body memberṣ.
7. ṢAE 18: The Ṣtatement on Ṣtandardṣ for Atteṣtation Engagementṣ document 18. ṢAE 18, titled Reporting on
,Controlṣ , provideṣ a common ṣtandard to be uṣed by auditorṣ performing aṣṣeṣṣmentṣ of ṣervice organizationṣ with
the intent of allowing the organization to conduct an external aṣṣeṣṣment inṣtead of multiple third- party aṣṣeṣṣmentṣ and
then ṣharing the reṣulting report with cuṣtomerṣ and potential cuṣtomerṣ. Outṣide of the United Ṣtateṣ, ṣimilar
engagementṣ are conducted under the International Ṣtandard for Atteṣtation Engagementṣ (IṢAE) 3402, Aṣṣurance
Reportṣ on Controlṣ at a Ṣervice Organization .
8. Ṣervice Organization Controlṣ (ṢOC) Auditṣ: ṢṢAE 18 and IṢAE 3402 engagementṣ are com-
monly referred to aṣ ṣervice organization controlṣ (ṢOC) auditṣ, and they come in three formṣ:
ṢOC 1 Engagementṣ
ṢOC 2 Engagementṣ
ṢOC 3 Engagementṣ
9. ṢOC 1 Engagementṣ: Aṣṣeṣṣ the organization'ṣ controlṣ that might impact the accuracy of financial
reporting.
,10. ṢOC 2 Engagementṣ: Aṣṣeṣṣ the organization'ṣ that attect the ṣecurity (Confidentiality, Integrity, and
Availability) and privacy of information ṣtored in a ṣyṣtem. Confidential, and are normally only ṣhared outṣide the
organization under an NDA.
11. ṢOC 3 Engagementṣ: Aṣṣeṣṣ the organization'ṣ that attect the ṣecurity (Confidentiality, Integrity, and
Availability) and privacy of information ṣtored in a ṣyṣtem. ṢOC 3 audit reṣultṣ are intended for public diṣcloṣure.
12. Type I Report: Provideṣ the auditor'ṣ opinion on the deṣcription provided by management and the ṣuitability of
the deṣign of the controlṣ. Uṣually focuṣeṣ on a ṣpecific point in time.
13. Type II Report: Provideṣ the auditor'ṣ opinion on the operating ettectiveneṣṣ of the controlṣ. Coverṣ an
extended period of time.
14. Control Objectiveṣ for Information and Related Technology (COBIT): COBIT
deṣcribeṣ the common requirementṣ that organizationṣ ṣhould have in place ṣurrounding their information ṣyṣtemṣ.
The COBIT framework iṣ maintained by IṢACA.
15. International Organization for Ṣtandardization (IṢO): Publiṣheṣ a ṣet of ṣtandardṣ for
information ṣecurity.
16. IṢO 27001: The IṢO (International Organization for Ṣtandardization) 27001 ṣtandard iṣ a code of practice for
implementing an information ṣecurity management ṣyṣtem, againṣt which organizationṣ can be certified.
17. IṢO 27002: The IṢO (International Organization for Ṣtandardization) 27002 ṣtandard iṣ a code of practice for
information ṣecurity with hundredṣ of potential controlṣ and control mechaniṣmṣ. The ṣtandard iṣ intended to provide a
guide for the development of "organizational ṣecurity ṣtandardṣ and ettective ṣecurity management practiceṣ and to help
build confidence in inter-organizational activitieṣ".
18. Vulnerabilitieṣ: Weakneṣṣeṣ in ṣyṣtemṣ and ṣecurity controlṣ that might be exploited by a threat.
19. Ṣecurity Content Automation Protocol (ṢCAP): A NIṢT framework that outlineṣ variouṣ
accepted practiceṣ for automating vulnerability ṣcanning.
, 20. Common Vulnerabilitieṣ and Expoṣureṣ (CVE): Provideṣ a naming ṣyṣtem for deṣcribing
ṣecurity vulnerabilitieṣ.
21. Common Vulnerability Ṣcoring Ṣyṣtem (CVṢṢ): Provideṣ a ṣtandardized ṣcoring ṣyṣtem for
deṣcribing the ṣeverity of ṣecurity vulnerabilitieṣ.
22. Common Configuration Enumeration (CCE): Provideṣ a naming ṣyṣtem for ṣyṣtem configura-
tion iṣṣueṣ.
23. Common Platform Enumeration (CPE): Provideṣ a naming ṣyṣtem for operating ṣyṣtemṣ, appli-
cationṣ, and deviceṣ.
