Domain 6 – Section A Review: Assessments and Testing
This section integrates:
- Assessment and Audit Strategy Design (types, standards, frequency, rules of engagement)
- Security Control Testing Methods (scanning, pen testing, code review, BAS)
- Security Process Data Collection (logs, SIEM, KPIs/KRIs, evidence, sampling)
- Test Output Analysis and Reporting (CVSS, prioritization, false positives, audience-appropriate reporting)
- Security Audits Facilitation (preparation, evidence, corrective actions, continuous auditing)
Domain 6 questions test whether you can connect assessment strategy to execution, translate raw findings into prioritized actions, and support audit processes that produce genuine improvement rather than checkbox compliance.
Section A – Practice Questions
Question 1
A SaaS provider needs to demonstrate to enterprise customers that its security controls have been operating effectively over the past 12 months. The provider does not want to allow each customer to perform individual on-site audits.
Which approach BEST addresses this requirement?
A. Perform an internal self-assessment and share the results
B. Publish a SOC 3 report on the company website
C. Obtain ISO 27001 certification and refuse all audit requests
D. Obtain a SOC 2 Type II report and share it with customers under NDA
Answer & reasoning
Correct: D
SOC 2 Type II provides independent assurance that controls were operating effectively over a period (12 months in this case). Sharing it under NDA gives enterprise customers the detail they need for due diligence without requiring individual on-site audits. SOC 3 lacks the detail customers require. Self-assessment lacks independence. ISO 27001 is valuable but does not cover the Trust Services Criteria that customers typically evaluate.
Question 2
A security team runs quarterly authenticated vulnerability scans across the entire internal network. They also run unauthenticated scans from outside the perimeter monthly. Despite this, a recent breach exploited a known vulnerability on a developer’s laptop that works remotely and rarely connects to the corporate network.
What testing gap allowed this vulnerability to persist?
A. The unauthenticated external scans should have been run weekly instead of monthly
B. The organization lacked agent-based scanning to cover devices regardless of network location
C. The authenticated internal scans should have been run more frequently
D. The developer should have been required to connect to the VPN daily
Answer & reasoning
Correct: B
Network-based scanners — whether authenticated or unauthenticated — can only reach devices connected to the network at scan time. A remote developer who rarely connects to the corporate network is invisible to these scans. Agent-based scanning runs locally on the device and reports results regardless of network location, closing this visibility gap.
Question 3
An organization’s SIEM generates approximately 800 alerts per day. The security operations team of three analysts can investigate roughly 50 alerts daily. Most uninvestigated alerts are later determined to be false positives, but the team has no way to know which ones are real without investigation.
What is the MOST effective first step to address this problem?
A. Hire additional analysts to investigate all 800 alerts
B. Disable alert rules that generate the most volume
C. Tune alert rules and correlation logic to reduce false positive rates and prioritize high-fidelity alerts
D. Outsource all SIEM monitoring to a managed security service provider
Answer & reasoning
Correct: C
Alert tuning is the appropriate first response to high-volume, low-fidelity alerting. By adjusting thresholds, improving correlation logic, and suppressing known false positive patterns, the signal-to-noise ratio improves and analysts can focus on genuine threats. Hiring more staff without fixing the underlying alert quality problem does not scale. Disabling rules creates blind spots. Outsourcing transfers the problem without solving it.
Question 4
A penetration test report identifies a critical vulnerability that allows unauthenticated remote code execution on the organization’s payment processing server. The vulnerability has a CVSS base score of 9.8. The security team confirms the finding is valid.
What should happen NEXT?
A. Initiate emergency remediation procedures and apply compensating controls immediately while a permanent fix is developed
B. Add the finding to the quarterly vulnerability report for management review
C. Schedule remediation during the next maintenance window in three weeks
D. Request a second opinion from a different penetration testing firm
Answer & reasoning
Correct: A
A confirmed critical vulnerability with unauthenticated remote code execution on a payment processing server represents an immediate, high-impact risk. Waiting for quarterly reporting or a scheduled maintenance window exposes the organization to exploitation. Emergency response is warranted: apply compensating controls (network isolation, IPS rules) immediately while developing and testing the permanent fix.
Question 5
An auditor conducting a SOC 2 Type II examination requests evidence that the organization’s backup restoration procedures work. The operations team provides backup job completion logs showing 99.8% success rates over the past year.
Is this evidence sufficient?
A. No — backup job logs prove data was written but do not prove it can be restored; the auditor needs restoration test results
B. Yes — the high success rate demonstrates reliable backup operations
C. Yes — combined with the backup policy, job logs are sufficient evidence
D. No — the auditor should not be asking about backup operations in a SOC 2 examination
Answer & reasoning
Correct: A
Backup job completion logs confirm that data was written to backup media. They do not confirm the data can be restored, that it is intact, or that the restoration process works within the required recovery time objective. The auditor needs evidence of actual restoration testing — successful test restores with documented results, recovery times, and data integrity verification.
Question 6
A development team uses SAST scanning integrated into its CI/CD pipeline. The scans consistently identify potential vulnerabilities, but the development team complains that over 60% of flagged issues are false positives, and they have started ignoring scan results entirely.
What is the BEST course of action?
A. Remove SAST from the pipeline since it is producing unreliable results
B. Replace SAST with DAST, which has lower false positive rates
C. Tune the SAST tool rules and suppress known false positive patterns while maintaining validated rules for actual vulnerabilities
D. Make SAST results advisory only and remove them as a deployment gate
Answer & reasoning
Correct: C
High false positive rates from SAST tools are a known challenge that is addressed through tuning, not abandonment. Suppressing validated false positive patterns and adjusting rule sensitivity reduces noise while preserving the tool’s ability to catch real vulnerabilities. Removing SAST eliminates early code-level detection. Replacing it with DAST addresses a different testing layer and does not find code-level flaws before deployment.
Question 7
An organization’s internal audit team completes its annual IT security audit and presents findings to the CISO. The CISO instructs the audit team to remove two findings related to inadequate access management before the report goes to the audit committee.
How should the internal audit director respond?
A. Remove the findings as directed since the CISO has authority over IT security
B. Negotiate with the CISO to soften the findings rather than remove them
C. Refuse the request and report the findings and the CISO’s request to the audit committee directly
D. Delay the report until the access management issues are remediated
Answer & reasoning
Correct: C
Internal audit’s independence requires that findings are reported without interference from the areas being audited. The CISO requesting removal of findings is an attempt to compromise audit independence. The audit director should refuse the request and report both the original findings and the interference attempt to the audit committee, which is internal audit’s proper reporting authority.
Question 8
A healthcare organization wants to verify that its new patient portal application does not have vulnerabilities related to the OWASP Top 10. The application is live in production, and the security team does not have access to the source code because it was developed by a third party.
Which testing approach is MOST appropriate?
A. SAST analysis of the application binaries
B. Manual code review by the internal security team
C. Review the vendor’s development practices documentation
D. DAST testing against the running production application
Answer & reasoning
Correct: D
DAST tests a running application from the outside, making it ideal when source code is unavailable. It tests for the exact categories in the OWASP Top 10 including injection, authentication flaws, and misconfigurations. SAST and manual code review require source code access. Reviewing vendor documentation provides procedural assurance but does not validate the actual application for vulnerabilities.
Question 9
An organization tracks two metrics: “percentage of critical patches applied within 72 hours” and “number of critical vulnerabilities open past the 30-day remediation deadline.” This quarter, the patching metric shows 94% compliance, but the overdue vulnerability count has increased by 40%.
What does this discrepancy most likely indicate?
A. The patching process is failing and the 94% metric is inaccurate
B. Not all critical vulnerabilities are addressable through patching alone — some require configuration changes, architecture modifications, or vendor involvement that the patching process does not cover
C. The remediation deadline should be extended from 30 to 60 days
D. The vulnerability scanning tool is producing excessive false positives
Answer & reasoning
Correct: B
The patching KPI is strong, but the overdue vulnerability KRI is worsening. This gap indicates that many critical vulnerabilities require remediation beyond simple patching — application code fixes, configuration changes, or architectural redesign. The organization is executing its patching process well but has no equivalent process for non-patch remediation. Both KPIs and KRIs are needed to see the complete picture.
Question 10
A company is preparing for its third consecutive ISO 27001 surveillance audit. The previous two audits each produced a minor nonconformity related to incomplete risk treatment plans. Each time, the security team updated the specific plans cited and closed the finding.
What should the security team do differently this time?
A. Request a different auditor who may not focus on risk treatment plans
B. Investigate the root cause of recurring incomplete risk treatment plans and implement a systemic fix — such as process automation, ownership assignment, or management oversight
C. Preemptively complete all risk treatment plans before the auditor arrives
D. Accept the minor nonconformity as a recurring cost of certification
Answer & reasoning
Correct: B
A finding that recurs across multiple audit cycles signals that corrective actions are addressing symptoms rather than root causes. The security team needs to determine why risk treatment plans are consistently incomplete — whether the issue is process design, lack of tooling, unclear ownership, or insufficient management oversight — and implement a systemic correction. Simply completing the current plans will result in the same finding next year.