CompTIA CASP+ (CAS-004) — Question 232

Due to budget constraints, an organization created a policy that only permits vulnerabilities rated high and critical according to CVSS to be fixed or mitigated. A security analyst notices that many vulnerabilities that were previously scored as medium are now breaching higher thresholds. Upon further investigation, the analyst notices certain ratings are not aligned with the approved system categorization.

Which of the following can the analyst do to get a better picture of the risk while adhering to the organization’s policy?

Answer options

• A. Align the exploitability metrics to the predetermined system categorization.
• B. Align the remediation levels to the predetermined system categorization.
• C. Align the impact subscore requirements to the predetermined system categorization.
• D. Align the attack vectors to the predetermined system categorization.

Correct answer: C

Explanation

The correct answer is C because aligning the impact subscore requirements with the predetermined system categorization helps ensure that vulnerabilities are accurately assessed based on their potential impact on the organization. Options A, B, and D do not directly address the evaluation of the risk associated with vulnerabilities as effectively as aligning the impact subscore does.