Certified in Risk and Information Systems Control (CRISC) — Question 248

Which of the following is the BEST method for assessing control effectiveness against technical vulnerabilities that could be exploited to compromise an information system?

Answer options

• A. Vulnerability scanning
• B. Penetration testing
• C. Systems log correlation analysis
• D. Monitoring of intrusion detection system (IDS) alerts

Correct answer: B

Explanation

Penetration testing is the best method because it actively simulates attacks to identify vulnerabilities and test the effectiveness of security controls in real-world scenarios. Vulnerability scanning, while useful, only identifies potential issues without testing exploitability. Systems log correlation analysis and IDS alerts monitoring are more focused on detection rather than proactive assessment of control effectiveness.