Which choice below is NOT a common information-gathering technique when performing a risk
analysis?

A.
Employing automated risk assessment tools

B.
Interviewing terminated employees

C.
Reviewing existing policy documents

D.
Distributing a questionnaire

Explanation:
Any combination of the following techniques can be used in gathering
information relevant to the IT system within its operational
boundary:
Questionnaire. The questionnaire should be distributed to the
applicable technical and nontechnical management personnel
who are designing or supporting the IT system.
On-site Interviews. On-site visits also allow risk assessment personnel
to observe and gather information about the physical,
environmental, and operational security of the IT system.
Document Review. Policy documents, system documentation,
and security-related documentation can provide good information
about the security controls used by and planned for the IT
system.
Use of Automated Scanning Tools. Proactive technical methods
can be used to collect system information efficiently.
Source: NIST Special Publication 800-30, Risk Management Guide for
Information Technology Systems.