Which choice below is NOT a common information-gathering technique when performing a risk
analysis?

A.
Employing automated risk assessment tools

B.
Interviewing terminated employees

C.
Reviewing existing policy documents

D.
Distributing a questionnaire

Explanation:
Any combination of the following techniques can be used in gathering information relevant to the IT
system within its operational boundary: Questionnaire. The questionnaire should be distributed to
the applicable technical and nontechnical management personnel who are designing or supporting
the IT system. On-site Interviews. On-site visits also allow risk assessment personnel to observe and
gather information about the physical, environmental, and operational security of the IT system.
Document Review. Policy documents, system documentation, and security-related documentation
can provide good information about the security controls used by and planned for the IT system. Use
of Automated Scanning Tools. Proactive technical methods can be used to collect system
information efficiently. Source: NIST Special Publication 800-30, Risk Management Guide for
Information Technology Systems.