A security administrator is aware that a portion of the company’s Internet-facing network tends to
be non-secure due to poorly configured and patched systems. The business owner has accepted
the risk of those systems being compromised, but the administrator wants to determine the degree
to which those systems can be used to gain access to the company intranet. Which of the
following should the administrator perform?

A.
Patch management assessment

B.
Business impact assessment

C.
Penetration test

D.
Vulnerability assessment