Which of the following is NOT a goal that needs to be identified before performing a vulnerability assessment?

A. the cost of the assessment
B. the relative value of the information that could be discovered through a compromise
C. the specific threats that are applicable to the component being assessed
D. Available mitigation strategies that could be deployed

A
Explanation: Before an assessment process is developed, the following goals of the assessment need to be identified:
• The relative value of the information that could be discovered through the compromise of the components under assessment. This helps to identify the amount of resources that should be devoted to the issue.
• The specific threats that are applicable to the component. For example, a web application would not be exposed to the same issues that a firewall might be due to the differences in their operation and position in the network.
• The available mitigation strategies that could be deployed to address issues that might be found. Identifying common strategies may suggest issue that weren't anticipated initially. For example, if you were doing a vulnerability test of your standard network operating system image, you should anticipate issues you might find and identify what technique you will use to address each.