A Chief Information Officer (CIO) recently saw on the news that a significant security flaws exists with a specific version of a technology the company uses to support many critical application. The CIO wants to know if this reported vulnerability exists in the organization and, if so, to what extent the company could be harmed. Which of the following would BEST provide the needed information?
A. Penetration test
B. Vulnerability scan
C. Active reconnaissance
D. Patching assessment report
B The CIO want to know 2 things 1) “IF this reported vulnerability exists” and 2) “if so, to what extent the COMPANY could be harmed.” So step 1 would be to run a vulnerability scan to see if the vulnerability exists. Step 2, if verified that the threat exists, determine the extent of harm to the COMPANY. You need a BIA (Business Impact Analysis) to determine the extent of harm to the COMPANY. A pen test would only show the extent of damage to the IT infrastructure, not to the entire COMPANY (short-term, mid-term, long-term). A Business Impact Analysis (BIA) process identifies and evaluates the potential effects (financial, life/safety, regulatory, legal/contractual, reputational and so forth).