Common Body of Knowledge
CMST Brochure
CMST Brochure
Skill Categories:
  1. Software Testing Principles and Concepts
  2. Building the Test Environment
  3. Managing the Test Project
  4. Test Planning
  5. Executing the Test Plan
  6. Test Status, Analysis and Reporting
  7. User Acceptance Testing
  8. Testing Software Developed by Outside Organizations
  9. Testing Software Controls and the Adequacy of Security Procedures
  10. Testing New Technologies

Back to Certified Manager of Software Testing (CMST)
Knowledge Category 9 ~ Testing Software Controls and the Adequacy of Security Procedures

The software system of internal control includes the totality of the means developed to ensure the integrity of the software system and the products created by the software. Controls are employed to control the processing components of software, assure that software processing is in accordance with the organization's policies and procedures, and according to applicable laws and regulations. Software systems are divided into two parts, the part that performs the processing and the part that controls processing. The control part includes a system of controls as well as the means employed to assure processing cannot be penetrated by outside sources. This category addresses all the components of the software system of internal control and security procedures.

Principles and Concepts of a Software System of Internal Control and Security

  1. Vocabulary of Internal Control and Security – the vocabulary of internal control and security which includes terms such as risk, threat, control, exposure, vulnerability and penetration.
  2. Internal Control and Security Models – includes internal control and security models. The current model that is most accepted is the COSO model. (Committee of Sponsoring Organizations, COSO, is comprised of five major U.S. accounting associations.)

Testing the System of Internal Controls
The test process for testing the system of internal controls in software is:

  1. Perform risk analysis – determine the risks faced by the transactions/events processed by the software.
  2. Determine the controls for each of the processing segments for transactions processing including:
    1. transaction origination
    2. transaction entry
    3. transaction processing
    4. data base control
    5. transaction results
  3. Determine whether the identified controls are adequate to reduce the risks to an acceptable level.
  4. When all components of the control system are present and functioning effectively, the internal control process can be deemed “effective.”

Testing the Adequacy of Security for a Software System
Testers need to evaluate the security for an individual software system. The tests should include:

  1. Evaluate the adequacy of management’s security environment.
  2. Security Risk Assessment – determining the types of risk requiring security controls.
  3. Identify the most probable points where the software would be penetrated.
  4. Determine the controls at those points of penetration.
  5. Test/assess whether those controls are adequate to reduce the security risks to an acceptable level. These tests should include:
    1. Security awareness of the software stakeholders
    2. Adequacy of management’s security environment.

Back to Certified Manager of Software Testing (CMST)
 
Copyright © 2008, Software Certifications. All rights reserved.