312-50V11 · Question #567
Which of the following lists are valid data-gathering activities associated with a risk assessment?
The correct answer is A. Threat identification, vulnerability identification, control analysis. NIST SP 800-30 defines risk assessment data-gathering as threat identification, vulnerability identification, and control analysis - the only choice that matches this framework.
Question
Which of the following lists are valid data-gathering activities associated with a risk assessment?
Options
- AThreat identification, vulnerability identification, control analysis
- BThreat identification, response identification, mitigation identification
- CAttack profile, defense profile, loss profile
- DSystem profile, vulnerability identification, security determination
How the community answered
(23 responses)- A87% (20)
- B4% (1)
- C9% (2)
Why each option
NIST SP 800-30 defines risk assessment data-gathering as threat identification, vulnerability identification, and control analysis - the only choice that matches this framework.
According to NIST SP 800-30, the core data-gathering activities in a risk assessment are threat identification (cataloging threat sources and events), vulnerability identification (finding weaknesses that could be exploited), and control analysis (evaluating existing and planned safeguards). These three activities together provide the raw inputs needed to calculate likelihood and impact. They are the foundational steps before any risk determination is made.
Response identification and mitigation identification are risk response and treatment activities that occur after data gathering is complete, not during it.
Attack profile, defense profile, and loss profile are not standard NIST or ISC2 risk assessment data-gathering terminology.
While system profiling is a valid precursor step, 'security determination' is a conclusion drawn after data gathering, not a data-gathering activity itself.
Concept tested: NIST SP 800-30 risk assessment data-gathering steps
Source: https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final
Topics
Community Discussion
No community discussion yet for this question.