CGRC Question #482: Real Exam Question with Answer & Explanation

The correct answer is C: Penetration test. This question describes a testing methodology where assessors have full knowledge, no constraints, and actively try to bypass security features, which is characteristic of a penetration test.

Assessment/Audit of Security and Privacy Controls

Question

In which of the following testing methodologies do assessors use all available documentation and work under no constraints, and attempt to circumvent the security features of an information system? Response:

Options

AFull operational test
BWalk-through test
CPenetration test
DPaper test

Explanation

This question describes a testing methodology where assessors have full knowledge, no constraints, and actively try to bypass security features, which is characteristic of a penetration test.

Common mistakes.

A. A full operational test typically refers to testing the complete system's functionality and performance under operational conditions, not primarily focused on circumventing security.
B. A walk-through test usually involves reviewing documentation or processes step-by-step for understanding or compliance, not actively attempting to exploit security weaknesses.
D. A paper test (or desktop review) involves reviewing documentation without interacting with the live system, thus not involving attempts to circumvent security features.

Concept tested. Penetration testing methodology

Reference. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-115.pdf

Topics

#Penetration testing#Security testing#Assessment methodologies#Vulnerability assessment

Community Discussion

No community discussion yet for this question.

Full CGRC Practice Browse All CGRC Questions