nerdexam
EC-Council

312-50V10 · Question #558

What information should an IT system analysis provide to the risk assessor?

The correct answer is C. Security architecture. An IT system analysis provides the risk assessor with a description of the system's security architecture, including its controls, boundaries, and design.

Information Security and Ethical Hacking Fundamentals

Question

What information should an IT system analysis provide to the risk assessor?

Options

  • AManagement buy-in
  • BThreat statement
  • CSecurity architecture
  • DImpact analysis

How the community answered

(45 responses)
  • A
    9% (4)
  • B
    2% (1)
  • C
    87% (39)
  • D
    2% (1)

Why each option

An IT system analysis provides the risk assessor with a description of the system's security architecture, including its controls, boundaries, and design.

AManagement buy-in

Management buy-in is an organizational and governance concern, not a technical deliverable produced by an IT system analysis.

BThreat statement

A threat statement is an output of the threat identification phase of risk assessment itself, not something provided by the system analysis.

CSecurity architectureCorrect

Security architecture documents the technical security controls, data flows, system boundaries, and protective mechanisms in place for a given IT system. This is the primary output a risk assessor needs from a system analysis to understand what is being protected and how, enabling accurate threat and vulnerability mapping per NIST SP 800-30.

DImpact analysis

Impact analysis is performed by the risk assessor as part of the risk assessment process, not provided as input from the system analysis.

Concept tested: IT system analysis input to risk assessment process

Source: https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final

Topics

#risk assessment#security architecture#IT system analysis#information security management

Community Discussion

No community discussion yet for this question.

Full 312-50V10 Practice