Domain 6 — Security Assessment and Testing
Real User Monitoring or RUM captures all transactions of all users of a website or application. Also called End-User Experience Monitoring.
Synthetic Performance Monitoring or Proactive Monitoring uses external agents running scripted transactions. It's meant to simulate typical uesrs.
Website Monitoring uses simulated transactions to perform HTTP requests to test availability and performance. These can specialize in database transactions or TCP port availability.
Dynamic versus Static Testing
Dynamic testing runs the system under test.
Static testing analyzes the system without running it.
KPI vs KRI
Key Performance Indicators or KPI are about past events.
Key Risk Indicators or KRI are about the possibility or probability of risk in the future.
DR vs BC
Business Continuity tries to prevent the outage, or mitigate impact.
Disaster Recovert tries to rapidly return to a pre-disaster state.
SOC (formerly SAS 70, now SSAE) = auditing reports
Type 1 is a snapshot, on the day the auditors looked at it.
Type 2 describes how well it worked over 6 or 12 months.
SOC 1 = mainly for financial auditors and investors
- SOC 1 Type 1 report = auditor's opinion on accuracy and completeness of management's description of the system or service, as well as suitability of the design of controls on that day.
- SOC 1 Type 2 report = Type 1 plus audit of effectiveness of those controls over a declared period (typically 6 or 12 months)
SOC 2 =
report for IT staff, regulators, and
business partners, all of whom should have sufficient
knowledge to use the details,
addressing any of the five Trust Services:
- Security (mostly access control)
- Processing Integrity (complete, accurate, timely, authorized)
- SOC 3 = just a summary report of SOC 2, pass or fail, for current or potential customers