After an organization has selected security control, it must determine whether a control is effective and efficient. Since controls cover a wide range of types, such as administrative controls, technical controls, and others, testing methods must be chosen that are suited to each control, and some controls may require multiple types of testing to fully validate them.
As an example of a process and technical control, if an organization is using the ISO 27002:13 standard, they might review 8.3.2, disposal of media. The ISO standard’s control states that “Media should be disposed of securely when no longer required, using formal procedures,” and the implementation guidance for this requirement describes secure shredding and erasure of data as possible options after appropriate procedures have been followed to determine data sensitivity.
The organization may opt to test the assessment procedures by selecting a sample of retired media such as hard drives, SSDs, or backup tapes that represent the types of media that the organization regularly retires from service. It can then check the process that retired the media, if the media was classified properly for handling, and if the media was appropriately wiped or destroyed based on that classification. This requires process, documentation, and technical control testing, all to test a single item from the standard.
Control tests like this are likely to identify problems, and organizations must then choose how to handle the issues they find. Media disposal reviews may find gaps in classification, problems with secure deletion processes, or leakage of media or drives to secondary uses despite sensitive data classifications. Once problems like these are found, an additional control review will need to be conducted to determine whether more controls need to be put in place or whether the existing controls are sufficient if they are properly enforced.
Technical assessment methods, including vulnerability assessment and penetration testing, are also major elements of many security control testing processes. In fact, PCI-DSS requires both a vulnerability scan (requirement 11.2) and a penetration test (requirement 11.3) for compliance.
