|
5.6.2
|
Security Assertion Markup Language (SAML)
|
14
|
|
5.6.3
|
Kerberos
|
14
|
|
5.6.4
|
Remote Authentication Dial-In User Service (RADIUS)/Terminal Access Controller Access Control System Plus (TACACS+)
|
14
|
|
Domain 6
|
Security Assessment and Testing
|
|
|
6.1
|
Design and validate assessment, test, and audit strategies
|
15
|
|
6.1.1
|
Internal
|
15
|
|
6.1.2
|
External
|
15
|
|
6.1.3
|
Third-party
|
15
|
|
6.2
|
Conduct security control testing
|
15
|
|
6.2.1
|
Vulnerability assessment
|
15
|
|
6.2.2
|
Penetration testing
|
15
|
|
6.2.3
|
Log reviews
|
15
|
|
6.2.4
|
Synthetic transactions
|
15
|
|
6.2.5
|
Code review and testing
|
15
|
|
6.2.6
|
Misuse case testing
|
15
|
|
6.2.7
|
Test coverage analysis
|
15
|
|
6.2.8
|
Interface testing
|
15
|
|
6.2.9
|
Breach attack simulations
|
15
|
|
6.2.10
|
Compliance checks
|
15
|
|
6.3
|
Collect security process data (e.g., technical and administrative)
|
15, 18
|
|
6.3.1
|
Account management
|
15
|
|
6.3.2
|
Management review and approval
|
15
|
|
6.3.3
|
Key performance and risk indicators
|
15
|
|
6.3.4
|
Backup verification data
|
15
|
|
6.3.5
|
Training and awareness
|
15, 18
|
|
6.3.6
|
Disaster Recovery (DR) and Business Continuity (BC)
|
18, 3
|
|
6.4
|
Analyze test output and generate report
|
15
|
|
6.4.1
|
Remediation
|
15
|
|
6.4.2
|
Exception handling
|
15
|
|
6.4.3
|
Ethical disclosure
|
15
|
|
6.5
|
Conduct or facilitate security audits
|
15
|
|
6.5.1
|
Internal
|
15
|
