Your organization is planning for penetration testing to assess the security and privacy controls in organizational information systems. From the perspective of the NIST SP 800-53A, which of the following is least likely to be one of the primary purposes for conducting penetration testing nowadays?
A. Verify the security or privacy features of an information system.
B. Enhance the organization’s understanding of the system.
C. Uncover weaknesses or deficiencies in the system.
D. Indicate the level of effort required on the part of adversaries to breach the system safeguards.
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is A. Verify the security or privacy features of an information system.
There is no absolute right or wrong answer, but when I was reading the following passage in NIST SP 800-53A, I think its perspective is pretty good:
Considering the complexity of the information technologies commonly employed by organizations today, penetration testing can be viewed not as a means to verify the security or privacy features of an information system, but rather as a means to:
(i) enhance the organization’s understanding of the system;
(ii) uncover weaknesses or deficiencies in the system; and
(iii) indicate the level of effort required on the part of adversaries to breach the system safeguards.Source: NIST SP 800-53A
Reference
- NIST SP 800-53A
- Rules of engagement
- Penetration Testing Rules of Engagement on Microsoft Cloud
- 5 pen testing rules of engagement: What to consider while performing Penetration testing
- Why Are Rules Of Engagement Important To My Penetration Test?
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.
您的組織正在規劃進行滲透測試,以評鑑組織資訊系統中的安全和隱私控制(control)。 從NIST SP 800-53A指引的角度來看,下列哪一項最不可能是當今實施滲透測試的主要目的之一?
A. 評估(evaluate)資訊系統的安全性或隱私功能(features)。
B. 增強組織對系統的理解。
C. 發現(uncover)系統中的弱點(weaknesses)或不足(deficiency)。
D. 指出對手(adversary)破壞系統安全措施所需的努力(effort)程度。