CISSP · Question #256
When writing security assessment procedures, what is the MAIN purpose of the test outputs and reports?
The correct answer is B. To find areas of compromise in confidentiality and integrity. Security assessment test outputs and reports are primarily designed to identify areas where confidentiality, integrity, or availability may be compromised, providing actionable findings for remediation.
Question
When writing security assessment procedures, what is the MAIN purpose of the test outputs and reports?
Options
- ATo force the software to fail and document the process
- BTo find areas of compromise in confidentiality and integrity
- CTo allow for objective pass or fail decisions
- DTo identify malware or hidden code within the test results
How the community answered
(39 responses)- A13% (5)
- B79% (31)
- C3% (1)
- D5% (2)
Why each option
Security assessment test outputs and reports are primarily designed to identify areas where confidentiality, integrity, or availability may be compromised, providing actionable findings for remediation.
Forcing software to fail (fault injection or stress testing) is a specific testing technique, not the overarching purpose of security assessment reports, which focus on identifying security weaknesses rather than documenting failure processes.
The main purpose of test outputs and reports in security assessments is to reveal areas of compromise in confidentiality and integrity (and availability), which are the core security properties being evaluated. These reports document discovered vulnerabilities, weaknesses, and exposures so that organizations can understand their risk posture and prioritize corrective actions aligned with security objectives.
Pass/fail decisions are more characteristic of compliance audits or functional testing checklists, whereas security assessment reports provide nuanced findings about risk and compromise rather than simple binary outcomes.
Identifying malware or hidden code is the goal of malware analysis or code review activities, which are narrow subsets of security testing, not the primary purpose of security assessment test outputs and reports broadly.
Concept tested: Purpose of security assessment test outputs and reports
Source: https://csrc.nist.gov/publications/detail/sp/800-115/final
Topics
Community Discussion
No community discussion yet for this question.