A vulnerability test on an Information System (IS) is conducted to
A.
exploit security weaknesses in the IS.
B.
measure system performance on systems with weak security controls.
C.
evaluate the effectiveness of security controls.
D.
prepare for Disaster Recovery (DR) planning.
Who says that we do vulnerability test after we establish security controls?
We cannot do it before so we fix the vulnerabilities?
The problem in CISSP exam questions is that you select “best of the 4” given answers. 🙂 It has nothing to do with what you do in real life job.