The criticality and sensitivity of information assets is determined on the basis of:
A.
threat assessment.
B.
vulnerability assessment.
C.
resource dependency assessment.
D.
impact assessment.
Explanation:
The criticality and sensitivity of information assets depends on the impact of the probability of the
threats exploiting vulnerabilities in the asset, and takes into consideration the value of the assets
and the impairment of the value. Threat assessment lists only the threats that the information
asset is exposed to. It does not consider the value of the asset and impact of the threat on the
value. Vulnerability assessment lists only the vulnerabilities inherent in the information asset that
can attract threats. It does not consider the value of the asset and the impact of perceived threats
on the value. Resource dependency assessment provides process needs but not impact.