CompTIA CySA+ (CS0-002) — Question 419

A business recently acquired a software company. The software company's security posture is unknown. However, based on an initial assessment, there are limited security controls. No significant security monitoring exists. Which of the following is the NEXT step that should be completed to obtain information about the software company's security posture?

Answer options

• A. Develop an asset inventory to determine the systems within the software company.
• B. Review relevant network drawings, diagrams, and documentation.
• C. Perform penetration tests against the software company's internal and external networks.
• D. Baseline the software company's network to determine the ports and protocols in use.

Correct answer: A

Explanation

Creating an asset inventory is crucial because it helps identify all systems and assets that need protection, forming the basis for further security assessments. Reviewing network diagrams and documentation (Option B) is helpful but doesn't directly identify the security posture. Penetration testing (Option C) is premature without understanding what assets exist, and baselining the network (Option D) also requires prior knowledge of the systems in place.