According to NIST SP 800-30 R1, “assessing risk requires the careful analysis of threat and vulnerability information to determine the extent to which circumstances or events could adversely impact an organization and the likelihood that such circumstances or events will occur.” Which of the following should be determined first before conducting a risk assessment? (Wentz QOTD)
A. Risk assessment methodology
B. Analysis approach
C. Assessment approach
D. Analytic approach
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is A. Risk assessment methodology.
Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.
根據 NIST SP 800-30 R1，評鑑風險需要仔細分析威脅和漏洞信息，以確定環境或事件可能對組織造成不利影響的程度以及此類環境或事件發生的可能性。 在進行風險評估之前，應首先確定以下哪項？ (Wentz QOTD)
A. 風險評鑑方法論 (Risk assessment methodology)
B. 分析方法 (Analysis approach)
C. 評鑑方法 (Assessment approach)
D. 解析方法 (Analytic approach)