CompTIA Security+ (SY0-601) — Question 201

A Chief Information Security Officer (CISO) is evaluating the dangers involved in deploying a new ERP system for the company. The CISO categorizes the system, selects the controls that apply to the system, implements the controls, and then assesses the success of the controls before authorizing the system. Which of the following is the CISO using to evaluate the environment for this new ERP system?

Answer options

• A. The Diamond Model of Intrusion Analysis
• B. CIS Critical Security Controls
• C. NIST Risk Management Framework
• D. ISO 27002

Correct answer: C

Explanation

The correct answer is C, as the NIST Risk Management Framework provides guidelines for identifying, assessing, and managing risks associated with systems like ERP. The other options, while relevant to security, do not specifically encompass the comprehensive risk evaluation process that the CISO is undertaking in this scenario.