Exam CISM topic 1 question 173 discussion

B. Penetration testing Among the options provided, penetration testing is the most practical and direct method for identifying security control gaps on an application server. Penetration testing involves simulating cyber attacks against your computer system to check for exploitable vulnerabilities. This type of testing is designed to discover weaknesses in security controls that an attacker could exploit.

why not conduct a risk assessment on the server and identify the control gaps?

According to ISACA (Information Systems Audit and Control Association), threat models (option C) provide the MOST useful information for identifying security control gaps on an application server. Here's why: Proactive Approach: Threat modeling is a proactive approach to identifying and mitigating security risks. It involves systematically analyzing an application's design and architecture to identify potential threats and vulnerabilities. Early Detection: Threat models can uncover security control gaps early in the development or deployment process, allowing organizations to address issues before they become vulnerabilities. Comprehensive Understanding: Threat models provide a comprehensive understanding of potential threats and vulnerabilities specific to the application server, helping organizations tailor their security controls to address these risks effectively.

PT involves simulating real-world attacks on an application server to identify vulnerabilities and security weaknesses. This provides the most useful information for identifying security control gaps because it actively tests the system's defenses and highlights potential vulnerabilities that attackers could exploit.

B. Penetration testing

B. Penetration testing

B. Penetration testing is the most useful information for identifying security control gaps on an application server. Penetration testing is a proactive approach to identifying vulnerabilities in an application or system by simulating a real-world attack. It can identify security control gaps, configuration issues, and potential exploits that could be leveraged by attackers. Penetration testing can also help validate the effectiveness of security controls and identify areas for improvement.

Out of the given options, the MOST useful information for identifying security control gaps on an application server would be Penetration testing. Penetration testing involves actively testing a system or application to identify vulnerabilities that an attacker could exploit. It provides a real-world assessment of the security posture of an application server and can help identify security control gaps that may not have been identified through other means. Risk assessments, threat models, and internal audit reports can also be useful in identifying security control gaps, but they tend to be more focused on identifying risks and compliance issues rather than actively testing the system to find vulnerabilities. Therefore, while they can be valuable tools in a comprehensive security assessment, they may not provide the same level of insight into security control gaps as penetration testing. B is the answer

The Correct answer is D cause it is the only one that shows what controls may be missing. A. Risk assessment highlight what threats are likely and the impact that they may have. They say nothing about the actual controls in place. B. Penetration testing can only tell you about the vulnerabilities that can be exploited, but can't tell you anything about the configuration of the controls. (i.e. the settings currently in place) C. Threat models - This shows all the possible threats that may exist, but nothing about the control currently in place. D. Internal audit reports

the asnwer is d