Information Asset Coverage

A.

A security risk assessment is an important process that helps organizations identify, evaluate, and mitigate potential security threats and vulnerabilities. The assessment is aimed at ensuring that the information assets of an organization are protected against unauthorized access, disclosure, or loss.

Regarding the question at hand, it is important to understand that a security risk assessment should not be limited to specific types of information assets, but rather should cover all assets that are critical to the organization's operations.

Option A - "are classified and labeled" - is not an accurate answer because security risk assessments should not only focus on classified or labeled information assets, but should also consider all other information assets, such as trade secrets or proprietary information.

Option B - "are inside the organization" - is not correct because information assets may also be stored outside the organization, such as in a cloud service provider or a third-party vendor.

Option C - "support business processes" - is a more appropriate answer because a security risk assessment should focus on all information assets that are involved in the organization's operations, including those that support business processes.

Option D - "have tangible value" - is not a valid answer because information assets may not always have a tangible value, but they may still be important to the organization and require protection.

In summary, option C is the most accurate answer because security risk assessments should cover all information assets that support the organization's business processes.