Question 9 - CompTIA (CYSA+) Analyst+ CS0-003 Real Exam Questions [Jan 2026 Update]

Q: 9

A security analyst needs to ensure that systems across the organization are protected based on the sensitivity of the content each system hosts. The analyst is working with the respective system owners to help determine the best methodology that seeks to promote confidentiality, availability, and integrity of the data being hosted. Which of the following should the security analyst perform first to categorize and prioritize the respective systems?

Options

Correct Answer:

Explanation

The foundational step in a risk-based approach to cybersecurity is asset management, which begins with identifying and valuing assets. To categorize and prioritize systems for protection based on the sensitivity of their content (confidentiality, integrity, and availability), a security analyst must first determine the value of each asset. This valuation dictates the level of security controls required and guides all subsequent risk management activities, such as vulnerability scanning and control implementation. Without understanding the asset's value, it is impossible to appropriately prioritize security efforts or justify the cost of protective measures.

Why Incorrect

A. Interviewing users is a useful data-gathering step, but it does not establish the authoritative business value or impact, which is necessary for formal categorization.

B. Scanning for vulnerabilities is a subsequent step in risk assessment. The criticality of a vulnerability is determined by its potential impact on a valued asset.

C. Configuring alerts is a proactive security control. This action is typically performed after systems have been categorized and appropriate security baselines have been established.

References

1. National Institute of Standards and Technology (NIST) Special Publication 800-30

Revision 1

Guide for Conducting Risk Assessments. Section 2.2

"Conduct Assessment

" outlines the process which begins with identifying assets and their value to determine the impact of a loss of confidentiality

integrity

or availability. Specifically

Task 2-3

"Determine impact

" relies on the value of the system and data.

2. Federal Information Processing Standards (FIPS) Publication 199

Standards for Security Categorization of Federal Information and Information Systems. Section 3

"Security Categorization

" states

"The first step in the security categorization process is to identify the information types processed

stored

or transmitted by the information system." This process is directly tied to determining the value and sensitivity of the information asset to establish a security category.

3. Purdue University

Information Security Risk Management (CS 52600) Courseware. The risk management lifecycle taught in this program begins with "Asset Identification and Valuation

" establishing it as the prerequisite step before threat analysis or vulnerability assessment. This is a standard model in academic cybersecurity curricula.

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE