Effective CISSP Questions

You are evaluating the compliance and effectiveness of measures that mitigate the effect of uncertainty on security objectives. Which of the following best describes what you are doing? (Wentz QOTD)
A. Risk assessment
B. Threat assessment
C. Security assessment
D. Vulnerability assessment

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. Security assessment.

Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.

ISO 31000
ISO 31000

In ISO 31000, risk assessment comprises threes steps: risk identification, risk analysis, and risk evaluation; a threat is a risk that brings negative effects. In the world of NIST, risk assessment and risk analysis are synonyms. However, they share the same nature that risk treatment and response follow risk assessment. Security controls are specific risk treatment or response to mitigate risk.

Vulnerability is a factor of a threat. NIST’s generic risk model defines threat factors specifically:

NIST Generic Risk Model (NIST SP 800-30 R1)
NIST Generic Risk Model (NIST SP 800-30 R1)

Security Assessment

Security assessment may refer to security control assessment (SCA) or information security assessment (ISA). However, they have minute differences; SCA is a subset of ISA. Security assessment in this question refers to security control assessment.

  • A security control assessment (SCA) means “the testing or evaluation of security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for an information system or organization.” (NIST SP 800-53 R4)
  • An information security assessment (ISA) is “the process of determining how effectively an entity being assessed (e.g., host, system, network, procedure, person-known as the assessment object) meets specific security objectives.” (NIST SP 800-115)


您正在評估減輕不確定性對安全目標影響的措施的待合性和有效性。 以下哪一項最能描述您正在做的事情? (Wentz QOTD)
A. 風險評鑑
B. 威脅評鑑
C. 安全評鑑
D. 漏洞評鑑

Leave a Reply