Which of the following would NOT be a component of a general enterprise security architecture
model for an organization?

A.
IT system auditing

B.
Consideration of all the items that comprise information security, including distributed systems,
software, hardware, communications systems, and networks

C.
Information and resources to ensure the appropriate level of risk management

D.
A systematic and unified approach for evaluating the organization’s information systems security
infrastructure and defining approaches to implementation and deployment of information security
controls

Explanation:
The auditing component of the IT system should be independent and distinct from the information
system security architecture for a system. * In answer “Information and resources to ensure the
appropriate level of risk management”, the resources to support intelligent risk management
decisions include technical expertise, applicable evaluation processes, refinement of business
objectives, and delivery plans. * Answer “Consideration of all the items that comprise information
security, including distributed systems, software, hardware, communications systems, and
networks” promotes an enterprisewide view of information system security issues. * For answer “A
systematic and unified approach for evaluating the organization’s information systems security
infrastructure and defining approaches to implementation and deployment of information security
controls”, the intent is to show that a comprehensive security architecture model includes all phases
involved in information system security including planning, design, integrating, testing, and
production.