1.
a) Discuss what are the factors that an organization should consider when determining the scope for establishing security control testing requirements
b) Discuss two of the barriers to establishing an effective security test plan that provides an organization the ability to assess the effectiveness of the set of controls in use.
2.
Compare and contrast the NIST definition of risk contained in NIST Interagency Report (NISTIR) 7298, revision 2 (http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf (Links to an external site.)) on page 161, sourced from FIPS 200, with Paul Hopkin’s preferred definition of risk on page 14 of the course text: “An event with the ability to impact (inhibit, enhance or cause doubt about) the effectiveness and efficiency of the core processes of an organization.” Which definition do you think is better and why?
Cite all your sources, including the ones identified here (e.g., your course text) using APA format. If possible, cite external sources that help substantiate your position.
Provide any available scholarly research, directives, publications, memorandums to support your discussion and provide references in APA format.