nerdexam
(ISC)2

CAP · Question #156

Security Test and Evaluation (ST&E) is a component of risk assessment. It is useful in discovering system vulnerabilities. For what purposes is ST&E used? Each correct answer represents a complete sol

The correct answer is B. To determine the adequacy of security mechanisms, assurances, and other properties to C. To assess the degree of consistency between the system documentation and its implement D. To uncover design, implementation, and operational flaws that may allow the violation of. ST&E is used to evaluate security adequacy, verify documentation-to-implementation consistency, and uncover flaws - not to perform system architecture implementation.

Assessment/Audit of Security and Privacy Controls

Question

Security Test and Evaluation (ST&E) is a component of risk assessment. It is useful in discovering system vulnerabilities. For what purposes is ST&E used? Each correct answer represents a complete solution. Choose all that apply.

Options

  • ATo implement the design of system architecture
  • BTo determine the adequacy of security mechanisms, assurances, and other properties to
  • CTo assess the degree of consistency between the system documentation and its implement
  • DTo uncover design, implementation, and operational flaws that may allow the violation of

How the community answered

(42 responses)
  • A
    10% (4)
  • B
    90% (38)

Why each option

ST&E is used to evaluate security adequacy, verify documentation-to-implementation consistency, and uncover flaws - not to perform system architecture implementation.

ATo implement the design of system architecture

ST&E is an evaluation and testing discipline, not an implementation activity; implementing system architecture is performed during design and build phases, entirely separate from ST&E.

BTo determine the adequacy of security mechanisms, assurances, and other properties toCorrect

ST&E assesses whether security mechanisms, assurances, and properties are adequate to protect the system against identified threats, which is a primary evaluation objective of the process.

CTo assess the degree of consistency between the system documentation and its implementCorrect

ST&E verifies that the implemented system is consistent with its documented security design and specifications, identifying gaps between stated controls and actual deployment.

DTo uncover design, implementation, and operational flaws that may allow the violation ofCorrect

ST&E uncovers design, implementation, and operational flaws that could allow unauthorized access or policy violations, enabling organizations to remediate vulnerabilities before exploitation.

Concept tested: Security Test and Evaluation purposes and objectives

Source: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final

Topics

#Security Testing#System Evaluation#Vulnerability Discovery#Security Controls Assessment

Community Discussion

No community discussion yet for this question.

Full CAP Practice