Three things that must be considered for the planning and implementation of access control
mechanisms are:
A.
Threats, assets, and objectives.
B.
Threats, vulnerabilities, and risks.
C.
Vulnerabilities, secret keys, and exposures.
D.
Exposures, threats, and countermeasures.
Explanation:
The correct answer is “Threats, vulnerabilities, and risks”. Threats define the possible source of
security policy violations; vulnerabilities describe weaknesses in the system that might be exploited
by the threats; and the risk determines the probability of threats being realized. All three items must
be present to meaningfully apply access control. Therefore, the other answers are incorrect.