312-50V11 · Question #789
Which of the following steps for risk assessment methodology refers to vulnerability identification?
The correct answer is D. Determines if any flaws exist in systems, policies, or procedures. In NIST risk assessment methodology, vulnerability identification is the step that specifically examines systems, policies, and procedures for exploitable flaws.
Question
Which of the following steps for risk assessment methodology refers to vulnerability identification?
Options
- AAssigns values to risk probabilities; Impact values
- BDetermines risk probability that vulnerability will be exploited (High, Medium, Low)
- CIdentifies sources of harm to an IT system (Natural, Human, Environmental)
- DDetermines if any flaws exist in systems, policies, or procedures
How the community answered
(23 responses)- A4% (1)
- B9% (2)
- D87% (20)
Why each option
In NIST risk assessment methodology, vulnerability identification is the step that specifically examines systems, policies, and procedures for exploitable flaws.
Assigning values to risk probabilities and impact is the risk analysis or quantification step, which occurs after vulnerabilities have already been identified.
Determining the probability that a vulnerability will be exploited is the likelihood assessment step, not the step where vulnerabilities are initially discovered.
Identifying sources of harm such as natural, human, or environmental factors describes threat identification, a separate step from vulnerability identification.
Vulnerability identification is the risk assessment step focused on finding weaknesses or flaws in systems, policies, and procedures that a threat source could exploit. This step is distinct from threat identification and likelihood analysis, and must be completed before risk probability can be assessed. NIST SP 800-30 defines this step as cataloging system vulnerabilities prior to evaluating the probability of their exploitation.
Concept tested: Risk assessment methodology vulnerability identification step
Source: https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final
Topics
Community Discussion
No community discussion yet for this question.