Management has implemented additional administrative and technical controls to reduce the likelihood of a high-impact risk in a key information system. What is the BEST way to validate the effectiveness of the control implementation?
Management has implemented additional administrative and technical controls to reduce the likelihood of a high-impact risk in a key information system. What is the BEST way to validate the effectiveness of the control implementation?
Performing an audit is the best way to validate the effectiveness of the control implementation. An audit thoroughly examines both administrative and technical controls to ensure they are functioning as intended and are effective in mitigating the identified risks. Unlike a vulnerability scan or penetration test, which focus primarily on technical aspects and specific vulnerabilities, an audit provides a comprehensive assessment, including the review of policies, procedures, and overall control environment, ensuring a more holistic evaluation of the controls in place.
C. Perform a penetration test. Penetration testing, also known as pen testing, involves simulating real-world attacks on systems, networks, and applications to identify vulnerabilities that could be exploited by malicious actors. By conducting penetration tests, organizations can assess the effectiveness of their control measures in mitigating potential risks and identify any residual vulnerabilities that may exist despite the implementation of controls.
This tests for exploitable vulnerabilities and the effectiveness of certain technical controls but may not evaluate all administrative controls or the overall control environment.
Agree, it's C
Incorrect. C. ________________________ Perform a pentest. By conducting a penetration test, organizations can assess the effectiveness of the newly implemented administrative and technical controls in preventing unauthorized access, data breaches, or other security incidents. The test involves attempting to exploit vulnerabilities in the system to gain unauthorized access, escalate privileges, or compromise sensitive data.