Back

Include system performance in the scope of system testing.


CONTROL ID
12624
CONTROL TYPE
Process or Activity
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain system testing procedures., CC ID: 11744

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • An application security review/testing, initially and during major changes, needs to be conducted using a combination of source code review, stress loading, exception testing and compliance review to identify insecure coding techniques and systems vulnerabilities to a reasonable extent. (Critical components of information security 11) c.30., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • A methodology for system testing should be established. The scope of tests should cover business logic, security controls and system performance under various stress-load scenarios and recovery conditions. (§ 6.2.2, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • A methodology for testing applications prior to their first use and after material modifications shall be defined and introduced. The scope of the tests shall include the functionality of the application, the security controls and system performance under various stress scenarios. The organisational… (II.6.41, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
  • Test changes independently in accordance with the defined test plan prior to migration to the operational environment. Ensure that the plan considers security and performance. (AI7.6 Testing of Changes, CobiT, Version 4.1)
  • shall include testing of management, operational, and technical controls of every information system identified in the inventory required under section 3505(c); (§ 3554(b)(5)(A), Federal Information Security Modernization Act of 2014)
  • Process transactions and assess system functionality. (App A Objective 10:15c, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Tests of new technology, systems, and products before deployment to validate functionality, controls, and interoperability. (App A Objective 12:10 c., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • The use of encryption within an ICS environment could introduce communications latency due to the additional time and computing resources required to encrypt, decrypt, and authenticate each message. For ICS, any latency induced from the use of encryption, or any other security technique, must not de… (§ 6.2.16.1 ICS-specific Recommendations and Guidance ¶ 2, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Check system hardware availability, functionality, integrity, and efficiency. (T0431, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Utilize models and simulations to analyze or predict system performance under different operating conditions. (T0242, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Store, retrieve, and manipulate data for analysis of system capabilities and requirements. (T0228, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Validation Functionality Testing. Functionality testing is a process for verifying that all system functionality has been tested, and the system is ready to return to normal operations. (§ 4.4 ¶ 1 Bullet 3, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Store, retrieve, and manipulate data for analysis of system capabilities and requirements. (T0228, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Utilize models and simulations to analyze or predict system performance under different operating conditions. (T0242, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Check system hardware availability, functionality, integrity, and efficiency. (T0431, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)