CompTIA CASP+ (CAS-004) — Question 184

Prior to a risk assessment inspection, the Chief Information Officer tasked the systems administrator with analyzing and reporting any configuration issues on the information systems, and then verifying existing security settings. Which of the following would be BEST to use?

Answer options

• A. SCAP
• B. CVSS
• C. XCCDF
• D. CMDB

Correct answer: A

Explanation

SCAP (Security Content Automation Protocol) is the best choice as it provides a standardized approach for automating the assessment of security configurations and compliance. CVSS (Common Vulnerability Scoring System) focuses on scoring vulnerabilities rather than configuration issues. XCCDF (Extensible Configuration Checklist Description Format) is used for specifying checklists but is not as comprehensive for the entire assessment process as SCAP. CMDB (Configuration Management Database) is a repository for configuration items but does not perform the analysis or reporting required.