CISM Certified Information Security Manager – Question0733

Which is the BEST way to measure and prioritize aggregate risk deriving from a chain of linked system vulnerabilities?

A.
Vulnerability scans
B. Penetration tests
C. Code reviews
D. Security audits

Correct Answer: B

Explanation:

Explanation:
A penetration test is normally the only security assessment that can link vulnerabilities together by exploiting them sequentially. This gives a good measurement and prioritization of risks. Other security assessments such as vulnerability scans, code reviews and security audits can help give an extensive and thorough risk and vulnerability overview’, but will not be able to test or demonstrate the final consequence of having several vulnerabilities linked together. Penetration testing can give risk a new perspective and prioritize based on the end result of a sequence of security problems.