312-50V10 · Question #789
Which of the following steps for risk assessment methodology refers to vulnerability identification?
The correct answer is D. Determines if any flaws exist in systems, policies, or procedures. In risk assessment methodology, vulnerability identification is the step that determines whether flaws exist in systems, policies, or procedures that could be exploited by a threat.
Question
Which of the following steps for risk assessment methodology refers to vulnerability identification?
Options
- AAssigns values to risk probabilities; Impact values
- BDetermines risk probability that vulnerability will be exploited (High, Medium, Low)
- CIdentifies sources of harm to an IT system (Natural, Human, Environmental)
- DDetermines if any flaws exist in systems, policies, or procedures
How the community answered
(27 responses)- A4% (1)
- C4% (1)
- D93% (25)
Why each option
In risk assessment methodology, vulnerability identification is the step that determines whether flaws exist in systems, policies, or procedures that could be exploited by a threat.
Assigning values to risk probabilities and impact values is part of risk analysis or quantitative risk assessment, not vulnerability identification.
Determining the probability that a vulnerability will be exploited (High, Medium, Low) is the risk likelihood or probability assessment step, which occurs after vulnerabilities are already identified.
Identifying sources of harm such as natural, human, or environmental factors describes threat identification, which is a separate step from vulnerability identification.
Vulnerability identification specifically involves examining IT systems, security policies, and operational procedures to detect weaknesses or flaws that could be exploited. This is a distinct step from threat identification or risk probability assessment, and it directly answers what assets are susceptible to harm.
Concept tested: Risk assessment methodology - vulnerability identification step
Source: https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final
Topics
Community Discussion
No community discussion yet for this question.