A security analyst is assessing a small company's internal servers against recommended security practices.
Which of the following should the analyst do to conduct the assessment? (Choose two.)
Click on the arrows to vote for the correct answer
A. B. C. D. E.CE.
Sure, I'd be happy to provide a detailed explanation of the answer choices.
A. Compare configurations against platform benchmarks: When assessing a company's internal servers, one of the best practices is to compare the servers' configurations against the platform benchmarks. This can help identify any deviations from recommended security practices and identify potential vulnerabilities that need to be addressed. The platform benchmarks are industry-standard guides that provide recommendations for securing the servers and applications. By comparing the servers' configurations against these benchmarks, the security analyst can determine whether the servers are configured according to the recommended security practices or not.
C. Review the company's current security baseline: A security baseline is a set of security controls and practices that an organization implements to protect its assets. Reviewing the company's current security baseline is an important step in assessing the security posture of the organization. By reviewing the security baseline, the security analyst can identify any gaps or weaknesses in the company's security controls and practices. This can help identify areas that need improvement and provide recommendations for mitigating risks.
B. Confirm adherence to the company's industry-specific regulations: Many industries have specific regulations and standards that organizations must adhere to. It is important for the security analyst to verify that the company is complying with these regulations. This can include requirements for data privacy, data security, and other industry-specific security requirements. By confirming adherence to these regulations, the security analyst can ensure that the organization is meeting the minimum security standards for its industry.
D. Verify alignment with policy related to regulatory compliance: Organizations often have policies in place that outline how they will comply with regulatory requirements. These policies provide guidance for employees and ensure that the organization is meeting its legal obligations. The security analyst should verify that the company's policies align with the regulatory requirements. This can help ensure that the organization is meeting its obligations and that employees are following the correct procedures.
E. Run an exploitation framework to confirm vulnerabilities: Running an exploitation framework to confirm vulnerabilities should not be a part of a security assessment unless it is explicitly authorized by the organization. Exploitation frameworks are tools that can be used to test the security of a system by attempting to exploit vulnerabilities. However, using these tools can be dangerous and can cause damage to the system if not used correctly. Therefore, it is important to have authorization and take precautions before using these tools.
In summary, the two best options for a security analyst to conduct an assessment of a small company's internal servers against recommended security practices would be to compare configurations against platform benchmarks and review the company's current security baseline.