Which of the following would NOT be a component of a general
enterprise security architecture model for an organization?

A.
IT system auditing

B.
Consideration of all the items that comprise information security, including distributed systems,
software, hardware, communications systems, and networks

C.
Information and resources to ensure the appropriate level of risk management

D.
A systematic and unified approach for evaluating the organization’s information systems
security infrastructure and defining approaches to implementation and deployment of information
security controls

Explanation:
The auditing component of the IT system should be independent
and distinct from the information system security architecture for a
system.
* In answer “Information and resources to ensure the appropriate level of risk management”, the
resources to support intelligent risk management decisions include technical expertise, applicable
evaluation processes, refinement of business objectives, and delivery plans.
* Answer “Consideration of all the items that comprise information security, including distributed
systems, software, hardware, communications systems, and networks” promotes an enterprisewide view of information
system security issues.
* For answer “A systematic and unified approach for evaluating the organization’s information
systems security infrastructure and defining approaches to implementation and deployment of
information security controls”, the intent is to show that a
comprehensive security architecture model includes all phases
involved in information system security including planning, design,
integrating, testing, and production.