Certified in Risk and Information Systems Control (CRISC) — Question 978
Which of the following would be the BEST way for a risk practitioner to validate the effectiveness of a patching program?
Answer options
- A. Conduct vulnerability scans.
- B. Review change control board documentation.
- C. Interview IT operations personnel.
- D. Conduct penetration testing.
Correct answer: A
Explanation
The best way to validate a patching program's effectiveness is to conduct vulnerability scans, as they directly identify any existing vulnerabilities that should have been mitigated by the patches. Reviewing change control board documentation and interviewing IT operations personnel may provide insights but do not directly measure the patching outcome. Conducting penetration testing, while useful, is more comprehensive and may not specifically target the patching validation.