CISSP · Question #602
Which of the following activities is MOST likely to be performed during a vulnerability assessment?
The correct answer is B. Analyze the environment by conducting interview sessions with relevant parties.. A vulnerability assessment involves systematically identifying and analyzing weaknesses in an environment, which requires gathering information through interviews, observations, and document reviews. Conducting interview sessions with relevant parties is a core information-gather
Question
Which of the following activities is MOST likely to be performed during a vulnerability assessment?
Options
- AEstablish caller authentication procedures to verify the identities of users.
- BAnalyze the environment by conducting interview sessions with relevant parties.
- CDocument policy exceptions required to access systems in non-compliant areas.
- DReview professorial credentials of the vulnerability assessment team or vendor.
How the community answered
(38 responses)- A8% (3)
- B87% (33)
- C3% (1)
- D3% (1)
Why each option
A vulnerability assessment involves systematically identifying and analyzing weaknesses in an environment, which requires gathering information through interviews, observations, and document reviews. Conducting interview sessions with relevant parties is a core information-gathering technique used during this process.
Establishing caller authentication procedures is a social engineering countermeasure or help desk security control, not a vulnerability assessment activity.
During a vulnerability assessment, analysts must understand the environment, existing controls, workflows, and potential exposures by interviewing stakeholders such as system owners, administrators, and end users. This qualitative data collection helps identify gaps between policy and practice, misconfigurations, and undocumented risks that automated scanning alone cannot reveal. Interviews are a recognized and standard phase of vulnerability assessment methodology as outlined in frameworks like NIST SP 800-30.
Documenting policy exceptions for non-compliant areas is an administrative or compliance management task, not a core vulnerability assessment activity focused on identifying technical and procedural weaknesses.
Reviewing the credentials of the assessment team is a vendor selection or procurement due diligence activity that occurs before the assessment begins, not during the assessment itself.
Concept tested: Vulnerability assessment information-gathering techniques and methodology
Source: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf
Topics
Community Discussion
No community discussion yet for this question.