CGRC Question #403: Real Exam Question with Answer & Explanation

The correct answer is D: Impact Analysis. In the NIST SP 800-30 Risk Assessment process, vulnerabilities are paired with threats during the Impact Analysis step to determine the potential adverse effects resulting from a threat exploiting a vulnerability. This step focuses on understanding the magnitude of harm if a thre

Security and Privacy Governance, Risk Management, and Compliance Program

Question

In which step of the NIST SP 800-30 Risk Assessment process are vulnerabilities paired with threats? Response:

Options

ALikelihood Determination
BVulnerability Identification
CEvaluation and Assessment
DImpact Analysis

Explanation

In the NIST SP 800-30 Risk Assessment process, vulnerabilities are paired with threats during the Impact Analysis step to determine the potential adverse effects resulting from a threat exploiting a vulnerability. This step focuses on understanding the magnitude of harm if a threat-vulnerability pair materializes.

Common mistakes.

A. Likelihood Determination focuses on the probability that a threat will exploit a vulnerability, not the pairing itself.
B. Vulnerability Identification is the process of discovering weaknesses, not combining them with threats to determine consequences.
C. Evaluation and Assessment is a broader term that encompasses the entire risk assessment but is not the specific step where threats and vulnerabilities are initially paired for impact determination.

Concept tested. NIST SP 800-30 Impact Analysis

Reference. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf

Topics

#NIST SP 800-30#Risk Assessment Process#Impact Analysis#Threat-Vulnerability Pairing

Community Discussion

No community discussion yet for this question.

Full CGRC Practice Browse All CGRC Questions