Before an organization is attempting to conduct risk analysis, what should they identify first?
A. Threat sources and threat events
B. Exploitable weaknesses/deficiencies
C. Impacts or consequences of concern and critical assets
D. Any of the above can go first
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is D. Any of the above can go first.
NIST SP 800-30 R1
The Generic Risk Model
Analysis approaches differ with respect to the orientation or starting point of the risk assessment, level of detail in the assessment, and how risks due to similar threat scenarios are treated. An analysis approach can be: (i) threat-oriented; (ii) asset/impact-oriented; or (iii) vulnerability-oriented.
Organizations have great flexibility in choosing a particular analysis approach. The specific approach taken is driven by different organizational considerations (e.g., the quality and quantity of information available with respect to threats, vulnerabilities, and impacts/assets; the specific orientation carrying the highest priority for organizations; availability of analysis tools emphasizing certain orientations; or a combination of the above).
Source: Page 15, NIST SP 800-30 R1
Risk Assessment
The intent of the process description in Chapter Three is to provide a common expression of the essential elements of an effective risk assessment. It is not intended to limit organizational flexibility in conducting those assessments. Other procedures can be implemented if organizations choose to do so, consistent with the intent of the process description.
Source: Page 23, NIST SP 800-30 R1
Summary
My suggested answer is D. Any of the above can go first.
According to NIST SP 800-30 R1:
- “Organizations have great flexibility in choosing a particular analysis approach. The specific approach taken is driven by different organizational considerations.”
- “Other procedures can be implemented if organizations choose to do so, consistent with the intent of the process description.”
C.
You definitely have to identify assets before conducting any kind of gap analysis.