Which violates a regulatory requirement. The assessor reviews hardening guides and determines policy allows for this configuration. It would be MOST appropriate for the assessor to advise the organization to:

A security assessor is working with an organization to review the policies and procedures associated with managing the organization’s virtual infrastructure.
During a review of the virtual environment, the assessor determines the organization is using servers to provide more than one primary function, which violates a regulatory requirement. The assessor reviews hardening guides and determines policy allows for this configuration. It would be MOST appropriate for the assessor to advise the organization to:
A. segment dual-purpose systems on a hardened network segment with no external access
B. assess the risks associated with accepting non-compliance with regulatory requirements
C. update system implementation procedures to comply with regulations
D. review regulatory requirements and implement new policies on any newly provisioned servers

How to PASS CAS-004 in First Attempt?

FULL Printable PDF and Software. VALID exam to help you PASS.

comptia-exams

4 thoughts on “Which violates a regulatory requirement. The assessor reviews hardening guides and determines policy allows for this configuration. It would be MOST appropriate for the assessor to advise the organization to:

  1. C – update system implementation procedures. Messed up question.

    Problem: servers… violates a regulatory requirement, because policy allows for this.
    The assessor reviews hardening guides and determines policy allows for this configuration. (Where is the assessor from… internal or external? who’s hardening guides??? the assessor’s or company’s? We have to assume it’s the company’s hardening guide. Policy before Procedure. Hardening guide is a procedure. We need to change the policy to comply with regulation, but there’s something wrong with the answers.)
    A. segment dual-purpose systems(no, after segmentation, it’s still in violation… besides, this is huge effort to segment the system. It’s much easier to migrate one of the function to a different server.)
    B. accepting non-compliance (no, it’s a violation that can be corrected.)
    C. update system implementation procedures to comply with regulations (Yes, this will do, but the procedure derives from policy. It’s the policy that really needs to be changed and then the procedure also needs to be updated.)
    D. review regulatory requirements and implement new policies on any newly provisioned servers (yes, implement new policies, but not just on newly provisioned servers… all servers need to adhere to new policies for compliance.)

    So, the better choice seems to be C.

  2. C. update system implementation procedures to comply with regulations

    I would rather advise the organization to comply.

    1. Agreed; avoiding regulatory compliance and hiding your dual purpose systems on a different network segment incurs legal risk / exposure.

Leave a Reply

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.