CISSP · Question #855
Which of the following is the BEST method to assess the effectiveness of an organization's vulnerability management program?
The correct answer is B. Periodic third party vulnerability assessment. Explanation A periodic third-party vulnerability assessment is the best method because it provides an independent, unbiased evaluation of the organization's vulnerability management program - third parties have no stake in the outcome, bring fresh perspectives, and can identify g
Question
Options
- AReview automated patch deployment reports
- BPeriodic third party vulnerability assessment
- CAutomated vulnerability scanning
- DPerform vulnerability scan by security team
How the community answered
(43 responses)- A2% (1)
- B81% (35)
- C5% (2)
- D12% (5)
Explanation
Explanation
A periodic third-party vulnerability assessment is the best method because it provides an independent, unbiased evaluation of the organization's vulnerability management program - third parties have no stake in the outcome, bring fresh perspectives, and can identify gaps that internal teams may overlook or rationalize away. Options A and C (automated patch reports and vulnerability scanning) are useful operational tools, but they only show point-in-time technical data - they cannot assess whether the program itself is effective, well-governed, or aligned with business risk. Option D (internal security team scans) suffers from the same limitation as automated scanning, with the added concern that internal teams may have blind spots, conflicts of interest, or unconscious bias toward their own processes.
Memory Tip: Think of it like auditing your own finances - you can do it yourself (options A, C, D), but only an independent external auditor (option B) gives a truly credible and objective assessment of whether your program is working. The keyword "effectiveness of the program" signals you need an independent, holistic review - not just a technical scan.
Topics
Community Discussion
No community discussion yet for this question.