IV.A Assurance and Testing
Management should ascertain that the information security program is operating securely, as expected, and reaching intended goals by doing the following:
- Testing and evaluating through self-assessments, tests, and audits with appropriate coverage, depth, and independence.
- Aligning personnel skills and program needs.
- Establishing and implementing a reporting process that includes the assembly and distribution of assurance reports that are timely, complete, transparent, and relevant to management decisions.
Assurance relates to the confidence that the information security program is mitigating risk as expected. Assurance targets two parts of the process: (1) the IT system's design and (2) the IT system's operation. The institution should carefully distinguish between the two because the former relates to risk decisions that change the security controls and the latter relates to the operation of the controls. Flaws in control design typically are corrected by a redesign, and flaws in operation typically are corrected through a compliance program.
The institution should have a documented testing and evaluation plan that addresses the integration of security controls, level of assurance desired, and strategies and activities performed in obtaining that assurance. The plan should identify specific components of the system to address, methods by which the components are to be addressed, timing and frequency of the tests and evaluations, and criteria used to ascertain whether the test and evaluation results are acceptable and provide assurance.See also Information Security Standards, section III.C.3, requiring each financial institution to test the key controls, systems, and procedures of its information security program using independent third parties or staff independent of those that develop or maintain the program.
IV Information Security Program Effectiveness
IV.A.1 Key Testing Factors