A backup strategy that combines weekly full backups with daily incremental backups stored on a NAS (Network Attached Storage) drive is likely to meet an organization's Recovery Point Objectives (RPOs) and Recovery Time Objectives (RTOs). This approach ensures that recent data is regularly backed up and that recovery can be done efficiently, without significant data loss or lengthy downtime.

Endpoint management software is a tool that allows security engineers to monitor and control the configuration, security, and performance of workstations and servers from a central console.
Endpoint management software can help detect and prevent unauthorized changes and software installations, enforce policies and compliance, and provide reports and alerts on the status of the endpoints. The other options are not as effective or comprehensive as endpoint management software for this purpose.

The CCTV system and signs about the possibility of being filmed serve as both deterrent and detective controls.
Deterrent controls: Aim to discourage potential attackers from attempting unauthorized actions. Posting signs about CCTV serves as a deterrent by warning individuals that their actions are being monitored.
Detective controls: Identify and record unauthorized or suspicious activity. The CCTV system itself functions as a detective control by capturing and recording footage that can be reviewed later.
Preventive controls: Aim to prevent security incidents but are not directly addressed by the CCTV and signs in this context.
Corrective controls: Aim to correct or mitigate the impact of a security incident.
Directive controls: Provide guidelines or instructions but are not directly addressed by the CCTV and signs.
Compensating controls: Provide alternative measures to compensate for the absence or failure of primary controls.

The Common Vulnerability Scoring System (CVSS) is a standardized framework for assessing the severity of vulnerabilities. It provides a numerical score (0-10) based on factors such as exploitability, impact, and complexity, helping security analysts prioritize remediation efforts based on risk.
Business impact analysis (A) helps identify critical business functions but does not specifically prioritize vulnerabilities.
Risk register (C) tracks identified risks but does not classify vulnerabilities.
Exposure factor (D) is used in quantitative risk assessment but is not an industry standard for vulnerability prioritization.
Reference:
CompTIA Security+ SY0-701 Official Study Guide, Risk Management domain.