CompTIA CySA+ (CS0-002) — Question 230

A large company wants to address frequent outages on critical systems with a secure configurations program. The Chief Information Security Officer (CISO) has asked the analysts to conduct research and make recommendations for a cost-effective solution with the least amount of disruption to the business. Which of the following would be the best way to achieve these goals?

Answer options

• A. Adopt the CIS security controls as a framework, apply configurations to all assets, and then notify asset owners of the change.
• B. Coordinate with asset owners to assess the impact of the CIS critical security controls, perform testing, and then implement across the enterprise.
• C. Recommend multiple security controls depending on business unit needs, and then apply configurations according to the organization’s risk tolerance.
• D. Ask asset owners which configurations they would like, compile the responses, and then present all options to the CISO for approval to implement.

Correct answer: B

Explanation

The correct answer is B, as it involves assessing the impact of the CIS critical security controls in collaboration with asset owners, ensuring a thorough understanding of the potential disruptions before implementation. Option A is less effective because it does not involve input from asset owners, which may lead to unforeseen issues. Option C lacks a unified strategy as it suggests varying controls based on unit needs, which could complicate the overall security posture. Option D is inadequate since it relies solely on asset owner preferences without a structured evaluation of security needs.