Problem
I. Explain the difference between a threat assessment, vulnerability assessment, and exploit assessment? Why is it important to identify your assets before doing a threat assessment? What is the difference between performing vulnerability assessments and pen testing in the production/operational environment and in functional testing in a staging environment? Why is it important to perform assessments and testing in each of these environments?
II. What are the different families of controls in NIST SP 800-53rev5? Briefly explain the control families: AC, CP, IA, SI, CA, and SC. What is the difference between in-place controls and planned controls? Explain the difference between Procedural, technical, and physical controls?