Certified in Risk and Information Systems Control (CRISC) — Question 989
Which of the following would provide the MOST reliable evidence of the effectiveness of security controls implemented for a web application?
Answer options
- A. Penetration testing
- B. Fault tree analysis
- C. Vulnerability assessment
- D. IT general controls audit
Correct answer: A
Explanation
Penetration testing simulates real-world attacks on the web application, providing direct evidence of security controls' effectiveness. In contrast, fault tree analysis and vulnerability assessments focus on identifying potential issues rather than testing existing controls, while an IT general controls audit assesses broader IT governance rather than specific application security.