CompTIA CySA+ (CS0-001) — Question 110

The security configuration management policy states that all patches must undergo testing procedures before being moved into production. The security analyst notices a single web application server has been downloading and applying patches during non-business hours without testing. There are no apparent adverse reactions, server functionality does not seem to be affected, and no malware was found after a scan.
Which of the following actions should the analyst take?

Answer options

• A. Reschedule the automated patching to occur during business hours.
• B. Monitor the web application service for abnormal bandwidth consumption.
• C. Create an incident ticket for anomalous activity.
• D. Monitor the web application for service interruptions caused from the patching.

Correct answer: C

Explanation

The correct action is to create an incident ticket for anomalous activity because the server is applying patches without following the established testing protocol, which is a security concern. The other options do not address the policy violation directly; rescheduling or monitoring does not rectify the issue of untested patches being applied.