What term describes an assessment performed by a third party to evaluate the effectiveness of security controls?

The term that describes an assessment performed by a third party to evaluate the effectiveness of security controls is a security audit. A security audit involves a comprehensive evaluation of an organization's information systems, policies, and procedures to determine how well the security controls are working and whether they comply with established standards and regulations.

This process typically includes reviewing documentation, interviewing personnel, and examining the operational environment to identify any weaknesses or vulnerabilities that could be exploited. By involving a third party, the audit benefits from an objective perspective, which enhances the credibility and reliability of the findings. The goal is to ensure that security measures are effectively protecting sensitive information and mitigating risks appropriately.

On the other hand, a vulnerability assessment focuses primarily on identifying vulnerabilities in systems or applications without always including an evaluation of the effectiveness of existing controls. A penetration test is an authorized simulated attack on a system to evaluate its security posture, but it also does not encompass the broader evaluation of policies and practices. A compliance review, while important, typically checks adherence to specific regulations or standards rather than the overall effectiveness of security controls. Thus, a security audit is the term that best captures the essence of a thorough, third-party evaluation of security control effectiveness.