312-50V10 · Question #558
What information should an IT system analysis provide to the risk assessor?
The correct answer is C. Security architecture. An IT system analysis provides the risk assessor with a description of the system's security architecture, including its controls, boundaries, and design.
Question
What information should an IT system analysis provide to the risk assessor?
Options
- AManagement buy-in
- BThreat statement
- CSecurity architecture
- DImpact analysis
How the community answered
(45 responses)- A9% (4)
- B2% (1)
- C87% (39)
- D2% (1)
Why each option
An IT system analysis provides the risk assessor with a description of the system's security architecture, including its controls, boundaries, and design.
Management buy-in is an organizational and governance concern, not a technical deliverable produced by an IT system analysis.
A threat statement is an output of the threat identification phase of risk assessment itself, not something provided by the system analysis.
Security architecture documents the technical security controls, data flows, system boundaries, and protective mechanisms in place for a given IT system. This is the primary output a risk assessor needs from a system analysis to understand what is being protected and how, enabling accurate threat and vulnerability mapping per NIST SP 800-30.
Impact analysis is performed by the risk assessor as part of the risk assessment process, not provided as input from the system analysis.
Concept tested: IT system analysis input to risk assessment process
Source: https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final
Topics
Community Discussion
No community discussion yet for this question.