nerdexam
EC-Council

312-50V11 · Question #567

Which of the following lists are valid data-gathering activities associated with a risk assessment?

The correct answer is A. Threat identification, vulnerability identification, control analysis. NIST SP 800-30 defines risk assessment data-gathering as threat identification, vulnerability identification, and control analysis - the only choice that matches this framework.

Information Security and Ethical Hacking Fundamentals

Question

Which of the following lists are valid data-gathering activities associated with a risk assessment?

Options

  • AThreat identification, vulnerability identification, control analysis
  • BThreat identification, response identification, mitigation identification
  • CAttack profile, defense profile, loss profile
  • DSystem profile, vulnerability identification, security determination

How the community answered

(23 responses)
  • A
    87% (20)
  • B
    4% (1)
  • C
    9% (2)

Why each option

NIST SP 800-30 defines risk assessment data-gathering as threat identification, vulnerability identification, and control analysis - the only choice that matches this framework.

AThreat identification, vulnerability identification, control analysisCorrect

According to NIST SP 800-30, the core data-gathering activities in a risk assessment are threat identification (cataloging threat sources and events), vulnerability identification (finding weaknesses that could be exploited), and control analysis (evaluating existing and planned safeguards). These three activities together provide the raw inputs needed to calculate likelihood and impact. They are the foundational steps before any risk determination is made.

BThreat identification, response identification, mitigation identification

Response identification and mitigation identification are risk response and treatment activities that occur after data gathering is complete, not during it.

CAttack profile, defense profile, loss profile

Attack profile, defense profile, and loss profile are not standard NIST or ISC2 risk assessment data-gathering terminology.

DSystem profile, vulnerability identification, security determination

While system profiling is a valid precursor step, 'security determination' is a conclusion drawn after data gathering, not a data-gathering activity itself.

Concept tested: NIST SP 800-30 risk assessment data-gathering steps

Source: https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final

Topics

#risk assessment#threat identification#vulnerability identification#control analysis

Community Discussion

No community discussion yet for this question.

Full 312-50V11 Practice