Exam CISSP topic 1 question 381 discussion

Its asking for the MOST important. The point is to identify vulns. D

If you think like a CISO then the answer is A

From OSG, pg. 726. Security Assessments Security assessments are comprehensive reviews of the security of a system, application, or other tested environment. During a security assessment, a trained information security professional performs a risk assessment that identifies vulnerabilities in the tested environment that may allow a compromise and makes recommendations for remediation, as needed.

If you think like a manager then the answer is B.. If you think like a technician then it's D..

Answer: D. To discover unmitigated security vulnerabilities, and propose paths for mitigating them ISC2 WILEY CISSP STUDY GUIDE GLOSSARY pg 184 security assessments Comprehensive reviews of the security of a system, application, or other tested environment. During a security assessment, a trained information security professional performs a risk assessment that identifies vulnerabilities in the tested environment that may allow a compromise and makes recommendations for remediation, as needed.

B - Security assessment and testing programs perform regular checks to ensure that adequate security controls are in place and that they effectively perform their assigned functions. In this chapter, you'll learn about many of the assessment and testing controls used by security professionals around the world. Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (Sybex Study Guide) (p. 725). Wiley. Kindle Edition.

D. To discover unmitigated security vulnerabilities, and propose paths for mitigating them.

While all of the options listed are important goals of conducting security assessments, the most important goal is to identify and address security vulnerabilities that could be exploited by attackers. This helps to improve the overall security posture of the organization and reduce the risk of a successful cyber attack. The other goals listed are also important, but they are secondary to the primary goal of identifying and mitigating security vulnerabilities.

D. B talks about reporting to management, which in my CISSP class was stressed as a top priority, but the answer states that it is to demonstrate the effectiveness of controls. What if the controls are not effective? It seems that we would scan and assess the environment to find problems and the CISSP is supposed to advise on solutions, so I go with that one. The wording of B seems to indicate a specific outcome, and in the CISSP class I was advised to avoid specific answers.

The most important goal of conducting security assessments is to identify and mitigate potential security risks and vulnerabilities within an organization's information systems and networks. A security assessment is a comprehensive evaluation of an organization's security posture, which includes assessing security policies, procedures, and technical controls. By conducting security assessments, organizations can identify weaknesses in their security posture and take proactive measures to address them. This includes implementing new security controls, improving existing controls, and providing security training and awareness programs for employees.

Security assessments include many types of tests designed to identify vulnerabilities, and the assessment report normally includes recommendations for mitigation. The assessment does not, however, include actual mitigation of those vulnerabilities

I'd think B is more aligned with "Internal audit." D is more aligned with security assessments

D. To discover unmitigated security vulnerabilities, and propose paths for mitigating them

During a security assessment, a trained information security professional performs a risk assessment that identifies vulnerabilities in the tested environment that may allow a compromise and makes recommendations for remediation, as needed. OSG Pg-726

In the ISC2 CISSP study Guide, page 726, 'The main work product of a security assessment is normally an assessment report addressed to management that contains the results of the assessment in nontechnical language and concludes with specific recommendations for improving the security of the tested environment.'

The most important goal of conducting security assessments is to discover unmitigated security vulnerabilities, and propose paths for mitigating them (option D). Security assessments are an important part of an organization's overall security program, as they help to identify and prioritize vulnerabilities, and provide guidance on how to address them. Other goals of conducting security assessments include aligning the security program with the organization's risk appetite (option A), demonstrating the proper function of security controls and processes to senior management (option B), and preparing the organization for an external audit, particularly by a regulatory entity (option C). However, these goals are all ultimately secondary to the primary goal of identifying and mitigating vulnerabilities, which is the key to ensuring the security and resilience of an organization's systems and data.

Security risk assessments help an organization strengthen its security. They can help a company identify security vulnerabilities, create new security requirements, spend cybersecurity budgets more intelligently, conduct due diligence and improve communication and decision-making.