Enterprise Security Architecture (ESA) is a system for applying network architecture principles and guidelines to network security.
Answer option D is incorrect. An After Action Report (AAR) is conducted to assess what went wrong after a breach.
Answer option C is incorrect. Open Vulnerability and Assessment Language (OVAL) is a standard to assess vulnerabilities in a system.
Answer option B is incorrect. The Open Web Application Security Project (OWASP) is a set of standards for security web applications.

This is the formula for computing the aggregate CIA score.
Answer option D is incorrect. ALE or annualized loss expectancy is computed by multiplying the single loss expectancy by the annual rate of occurrence.
Answer option B is incorrect. SLE or single loss expectancy is the amount of loss expected from a single incident. It is calculated by multiplying the asset value times the exposure factor.
Answer option A is incorrect. There is no formula specific to calculating the security of a firewall.

Continuous monitoring in any system takes place after initial system security accreditation.
It involves tracking changes to the information system that occur during its lifetime, and then determines the impact of those changes on the system security. Due to the necessary changes in hardware, software, and firmware during the lifetime of an information system, an evaluation of the results of these modifications has to be conducted to determine whether corresponding changes necessarily have to be made to security controls, to bring the system to the desired security state.
Certification and Accreditation (C&A or CnA) is a process for implementing information security. It is a systematic procedure for evaluating, describing, testing, and authorizing systems prior to or after a system is in operation. The C&A process is used extensively in the U.S. Federal Government.

COTS stands for Commercial Off-The-Shelf products. These products save time and efforts of creating own programs and services by purchasing these products from a third- party vendor. COTS products speed up and reduce the cost of system construction.
Answer option A is incorrect. Collaboration platform is an unified electronic platform that supports both synchronous and asynchronous communication using a variety of devices and channels. It offers a set of software components and services. These components and services enable users to communicate, share information, and work together for achieving common business goals.
A collaboration platform consists of the following core elements:
* Messaging (email, calendaring and scheduling, contacts),
* Team collaboration (file synchronization, ideas and notes in a wiki. task management, full- text search)
* Real-time communication (presence, instant messaging, Web conferencing, application/desktop sharing, voice, audio and video conferencing) Answer option C is incorrect. Change Management is used to ensure that standardized methods and procedures are used for efficient handling of all changes. A change is "an event that results in a new status of one or more configuration items (CI's)" approved by management, cost effective, enhances business process changes (fixes) - with a minimum risk to IT infrastructure.
The main aims of Change Management are as follows:
* Minimal disruption of services
* Reduction in back-out activities
* Economic utilization of resources involved in the change
Answer option B is incorrect. An end-to-end solution (E2ES) suggests that the supplier of an application program or system provides all the hardware and software components and resources to meet the customers requirement and no other supplier is required to be involved.

Role-based access control (RBAC) is an access control model. In this model, a user can access resources according to his role in the organization. For example, a backup administrator is responsible for taking backups of important data. Therefore, he is only authorized to access this data for backing it up. However, sometimes users with different roles need to access the same resources. This situation can also be handled using the RBAC model.
Answer option A is incorrect. Discretionary access control (DAC) is an access policy determined by the owner of an object. The owner decides who is allowed to access the object and what privileges they have.
Two important concepts in DAC are as follows:
* File and data ownership: Every object in the system has an owner. In most DAC systems, each object's initial owner is the subject that caused it to be created. The access policy for an object is determined by its owner.
* Access rights and permissions: These are the controls that an owner can assign to other subjects for specific resources.
Access controls may be discretionary in ACL-based or capability-based access control systems.
Note: In capability-based systems, there is no explicit concept of owner, but the creator of an object has a similar degree of control over its access policy.
Answer option D is incorrect. Mandatory Access Control (MAC) is a model that uses a predefined set of access privileges for an object of the system. Access to an object is restricted on the basis of the sensitivity of the object and granted through authorization.
Sensitivity of an object is defined by the label assigned to it. For example, if a user receives a copy of an object that is marked as "secret", he cannot grant permission to other users to see this object unless they have the appropriate permission.
Answer option B is incorrect. There in no such access control as Network-based access control (NBAC).