CompTIA SecurityX (CAS-005) — Question 217

Due to budget constraints, an organization created a policy that only permits vulnerabilities rated high and critical according to CVSS to be fixed or mitigated. A security analyst notices that many vulnerabilities that were previously scored as medium are now breaching higher thresholds. Upon further investigation, the analyst notices certain ratings are not aligned with the approved system categorization. Which of the following can the analyst do to get a better picture of the risk while adhering to the organization’s policy?

Answer options

• A. Align the exploitability metrics to the predetermined system categorization.
• B. Align the remediation levels to the predetermined system categorization.
• C. Align the impact subscore requirements to the predetermined system categorization.
• D. Align the attack vectors to the predetermined system categorization.

Correct answer: C

Explanation

The correct answer is C because aligning the impact subscore requirements with the predetermined system categorization allows for a more accurate assessment of risk based on the organization's policy. The other options focus on different metrics that do not directly address the misalignment of ratings with system categorization, which is critical for understanding the overall risk profile.