Exam CISSP topic 1 question 381 discussion

Its asking for the MOST important. The point is to identify vulns. D

Can't be B. Demonstrating proper function is a secondary benefit, not the main goal.

Sybex 10th Edition pg 731

If you think like a CISO then the answer is A

From OSG, pg. 726. Security Assessments Security assessments are comprehensive reviews of the security of a system, application, or other tested environment. During a security assessment, a trained information security professional performs a risk assessment that identifies vulnerabilities in the tested environment that may allow a compromise and makes recommendations for remediation, as needed.

If you think like a manager then the answer is B.. If you think like a technician then it's D..

Answer: D. To discover unmitigated security vulnerabilities, and propose paths for mitigating them ISC2 WILEY CISSP STUDY GUIDE GLOSSARY pg 184 security assessments Comprehensive reviews of the security of a system, application, or other tested environment. During a security assessment, a trained information security professional performs a risk assessment that identifies vulnerabilities in the tested environment that may allow a compromise and makes recommendations for remediation, as needed.

B - Security assessment and testing programs perform regular checks to ensure that adequate security controls are in place and that they effectively perform their assigned functions. In this chapter, you'll learn about many of the assessment and testing controls used by security professionals around the world. Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (Sybex Study Guide) (p. 725). Wiley. Kindle Edition.

D. To discover unmitigated security vulnerabilities, and propose paths for mitigating them.

While all of the options listed are important goals of conducting security assessments, the most important goal is to identify and address security vulnerabilities that could be exploited by attackers. This helps to improve the overall security posture of the organization and reduce the risk of a successful cyber attack. The other goals listed are also important, but they are secondary to the primary goal of identifying and mitigating security vulnerabilities.

D. B talks about reporting to management, which in my CISSP class was stressed as a top priority, but the answer states that it is to demonstrate the effectiveness of controls. What if the controls are not effective? It seems that we would scan and assess the environment to find problems and the CISSP is supposed to advise on solutions, so I go with that one. The wording of B seems to indicate a specific outcome, and in the CISSP class I was advised to avoid specific answers.

The most important goal of conducting security assessments is to identify and mitigate potential security risks and vulnerabilities within an organization's information systems and networks. A security assessment is a comprehensive evaluation of an organization's security posture, which includes assessing security policies, procedures, and technical controls. By conducting security assessments, organizations can identify weaknesses in their security posture and take proactive measures to address them. This includes implementing new security controls, improving existing controls, and providing security training and awareness programs for employees.

Security assessments include many types of tests designed to identify vulnerabilities, and the assessment report normally includes recommendations for mitigation. The assessment does not, however, include actual mitigation of those vulnerabilities

I'd think B is more aligned with "Internal audit." D is more aligned with security assessments

D. To discover unmitigated security vulnerabilities, and propose paths for mitigating them

During a security assessment, a trained information security professional performs a risk assessment that identifies vulnerabilities in the tested environment that may allow a compromise and makes recommendations for remediation, as needed. OSG Pg-726

In the ISC2 CISSP study Guide, page 726, 'The main work product of a security assessment is normally an assessment report addressed to management that contains the results of the assessment in nontechnical language and concludes with specific recommendations for improving the security of the tested environment.'