The most effective approach to tracking vulnerabilities is to regularly perform vulnerability scans and

assessments because:

Proactive Identification: Regular scanning detects newly introduced vulnerabilities from software

updates or configuration changes.

Automated Monitoring: Modern scanning tools (like Nessus or OpenVAS) can automatically identify

vulnerabilities in systems and applications.

Assessment Reports: Provide prioritized lists of discovered vulnerabilities, helping IT teams address

the most critical issues first.

Compliance and Risk Management: Routine scans are essential for maintaining security baselines

and compliance with standards (like PCI-DSS or ISO 27001).

Other options analysis:

A . Wait for external reports: Reactive and risky, as vulnerabilities might remain unpatched.

B . Rely on employee reporting: Inconsistent and unlikely to cover all vulnerabilities.

D . Track only public vulnerabilities: Ignores zero-day and privately disclosed issues.

CCOA Official Review Manual, 1st Edition Reference:

Chapter 6: Vulnerability Management: Emphasizes continuous scanning as a critical part of risk

mitigation.

Chapter 9: Security Monitoring Practices: Discusses automated scanning and vulnerability tracking.