Missing Elements for Risk Assessment in CyberOps | Exam 350-201-CBRCOR | Cisco
Question
A new malware variant is discovered hidden in pirated software that is distributed on the Internet.
Executives have asked for an organizational risk assessment.
The security officer is given a list of all assets.
According to NIST, which two elements are missing to calculate the risk assessment? (Choose two.)
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D. E.BE.
https://cloudogre.com/risk-assessment/The two elements that are missing to calculate the risk assessment, according to NIST (National Institute of Standards and Technology) are:
B. Asset vulnerability assessment: A vulnerability assessment is a systematic process of identifying, analyzing, and prioritizing vulnerabilities in assets (systems, applications, networks, etc.) to determine the level of risk they pose to an organization. It helps in identifying the weaknesses that can be exploited by attackers to compromise the confidentiality, integrity, or availability of the assets. Without an asset vulnerability assessment, it is difficult to determine the level of risk that the new malware variant poses to the organization.
E. Malware analysis report: A malware analysis report provides detailed information about the malware, such as its behavior, capabilities, and potential impact on the organization. It helps in understanding the scope of the malware infection, its propagation mechanism, and the data that it can compromise. Without a malware analysis report, it is difficult to determine the severity of the threat and the potential impact on the organization.
A. Incident response playbooks: Incident response playbooks are a set of predefined procedures that guide an organization's response to security incidents. They provide a standardized and organized approach to managing security incidents, minimizing the impact of the incident and restoring normal operations as quickly as possible. While incident response playbooks are important for responding to security incidents, they are not directly related to calculating the risk assessment.
C. Report of staff members with asset relations: A report of staff members with asset relations provides information about the employees who have access to the assets and their level of authorization. While this information is important for access control and identity management, it is not directly related to calculating the risk assessment.
D. Key assets and executives: While it is important to identify key assets and executives, this information alone does not provide a complete picture of the organization's risk posture. Risk assessment requires a more comprehensive analysis of the assets, threats, vulnerabilities, and potential impact on the organization.
In conclusion, to calculate the risk assessment, the organization needs to perform an asset vulnerability assessment to identify potential weaknesses in the assets that can be exploited by the new malware variant. Additionally, a malware analysis report is required to determine the severity of the threat and the potential impact on the organization.
