nerdexam
EC-Council

312-50V11 · Question #789

Which of the following steps for risk assessment methodology refers to vulnerability identification?

The correct answer is D. Determines if any flaws exist in systems, policies, or procedures. In NIST risk assessment methodology, vulnerability identification is the step that specifically examines systems, policies, and procedures for exploitable flaws.

Vulnerability Analysis

Question

Which of the following steps for risk assessment methodology refers to vulnerability identification?

Options

  • AAssigns values to risk probabilities; Impact values
  • BDetermines risk probability that vulnerability will be exploited (High, Medium, Low)
  • CIdentifies sources of harm to an IT system (Natural, Human, Environmental)
  • DDetermines if any flaws exist in systems, policies, or procedures

How the community answered

(23 responses)
  • A
    4% (1)
  • B
    9% (2)
  • D
    87% (20)

Why each option

In NIST risk assessment methodology, vulnerability identification is the step that specifically examines systems, policies, and procedures for exploitable flaws.

AAssigns values to risk probabilities; Impact values

Assigning values to risk probabilities and impact is the risk analysis or quantification step, which occurs after vulnerabilities have already been identified.

BDetermines risk probability that vulnerability will be exploited (High, Medium, Low)

Determining the probability that a vulnerability will be exploited is the likelihood assessment step, not the step where vulnerabilities are initially discovered.

CIdentifies sources of harm to an IT system (Natural, Human, Environmental)

Identifying sources of harm such as natural, human, or environmental factors describes threat identification, a separate step from vulnerability identification.

DDetermines if any flaws exist in systems, policies, or proceduresCorrect

Vulnerability identification is the risk assessment step focused on finding weaknesses or flaws in systems, policies, and procedures that a threat source could exploit. This step is distinct from threat identification and likelihood analysis, and must be completed before risk probability can be assessed. NIST SP 800-30 defines this step as cataloging system vulnerabilities prior to evaluating the probability of their exploitation.

Concept tested: Risk assessment methodology vulnerability identification step

Source: https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final

Topics

#risk assessment#vulnerability identification#risk methodology#IT security

Community Discussion

No community discussion yet for this question.

Full 312-50V11 Practice