How would an organization know if its new information security program is accomplishing its goals?

How would an organization know if its new information security program is accomplishing its
goals?

How would an organization know if its new information security program is accomplishing its
goals?

A.
Key metrics indicate a reduction in incident impacts.
Option D may indicate that it is not successful.
QUESTION 536
A benefit of using a full disclosure (white box) approach as compared to a blind (black box)
approach to penetration testing is that:
it simulates the real-1ife situation of an external security attack.

B.
Senior management has approved the program and is supportive of it.
human intervention is not required for this type of test.

C.
Employees are receptive to changes that were implemented.
less time is spent on reconnaissance and information gathering.

D.
There is an immediate reduction in reported incidents.
critical infrastructure information is not revealed to the tester.

A.
Key metrics indicate a reduction in incident impacts.
Option D may indicate that it is not successful.
QUESTION 536
A benefit of using a full disclosure (white box) approach as compared to a blind (black box)
approach to penetration testing is that:
it simulates the real-1ife situation of an external security attack.

A.
Key metrics indicate a reduction in incident impacts.
Option D may indicate that it is not successful.
QUESTION 536
A benefit of using a full disclosure (white box) approach as compared to a blind (black box)
approach to penetration testing is that:
it simulates the real-1ife situation of an external security attack.

B.
Senior management has approved the program and is supportive of it.
human intervention is not required for this type of test.

C.
Employees are receptive to changes that were implemented.
less time is spent on reconnaissance and information gathering.

D.
There is an immediate reduction in reported incidents.
critical infrastructure information is not revealed to the tester.

Explanation:

Option A is correct since an effective security program will show a trend in impact reduction.
Options B and C may well derive from a performing program, but are not as significant as option

Data and information required for penetration are shared with the testers, thus eliminating time
that would otherwise have been spent on reconnaissance and gathering of information. Blind
(black box) penetration testing is closer to real life than full disclosure (white box) testing. There is
no evidence to support that human intervention is not required for this type of test. A full disclosure
(white box) methodology requires the knowledge of the subject being tested.



Leave a Reply 0

Your email address will not be published. Required fields are marked *