According to the NIST SDLC, which of the following is the first security activity that should be conducted before authorizing an information system to operate?
A. Assess risk to the system
B. Assess business impact
C. Assess system security
D. Review operational readiness
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is B. Assess business impact.