CompTIA Security+ (SY0-501) — Question 217

A security administrator is tasked with conducting an assessment made to establish the baseline security posture of the corporate IT infrastructure. The assessment must report actual flaws and weaknesses in the infrastructure. Due to the expense of hiring outside consultants, the testing must be performed using in-house or cheaply available resource. There cannot be a possibility of any requirement being damaged in the test.
Which of the following has the administrator been tasked to perform?

Answer options

• A. Risk transference
• B. Penetration test
• C. Threat assessment
• D. Vulnerability assessment

Correct answer: D

Explanation

The correct answer is D, Vulnerability assessment, because it focuses on identifying and reporting actual flaws and weaknesses in the system without exploiting them, which aligns with the requirement to avoid damage. Options A and B involve different approaches; risk transference is about shifting risk to another party, and penetration testing actively exploits vulnerabilities, which could lead to damage. Option C, threat assessment, evaluates potential threats but does not specifically identify existing vulnerabilities.