Minimum security controls can only be determined after___________.
A.
A penetration test.
B.
The aggregate CIA score has been computed.
C.
System securitypoliciesare put in place.
D.
A vulnerability assessment.
Explanation:
You must compute the CIA (Confidentiality. Integrity, and Availability) requirements of the system before you can determine the required minimum controls.Answer option D is incorrect. A vulnerability assessment is a good practice, but is not necessary to determine minimal security controls.
Answer option A is incorrect. A penetration test is a good practice, but is not necessary to determine minimal security controls.
Answer option C is incorrect. The system securitypoliciesshould be developed after the CIA score has been computed.