CISA Certified Information Systems Auditor – Question1631

A penetration test performed as part of evaluating network security:

A.
provides assurance that all vulnerabilities are discovered.
B. should be performed without warning the organization's management.
C. exploits the existing vulnerabilities to gain unauthorized access.
D. would not damage the information assets when performed at network perimeters.

Correct Answer: C

Explanation:

Explanation:
Penetration tests are an effective method of identifying real-time risks to an information processing environment. They attempt to break into a live site in order to gain unauthorized access to a system. They do have the potential for damaging information assets or misusing information because they mimic an experienced hacker attacking a live system. On the other hand, penetration tests do not provide assurance that all vulnerabilities are discovered because they are based on a limited number of procedures.
Management should provide consent for the test to avoid false alarms to IT personnel or to law enforcement bodies.