CompTIA Security+ (SY0-501) — Question 576

A security architect has convened a meeting to discuss an organization's key management policy. The organization has a reliable internal key management system, and some argue that it would be best to manage the cryptographic keys internally as opposed to using a solution from a third party. The company should use:

Answer options

• A. the current internal key management system.
• B. a third-party key management system that will reduce operating costs.
• C. risk benefits analysis results to make a determination.
• D. a software solution including secure key escrow capabilities.

Correct answer: C

Explanation

The correct answer is C because conducting a risk benefits analysis allows the organization to weigh the pros and cons of both internal and third-party solutions based on their specific needs. Option A assumes the internal system is sufficient without evaluation, B prioritizes cost savings without considering security implications, and D suggests a specific software solution that may not address all organizational risks.