CAS-005 · Question #425
CAS-005 Question #425: Real Exam Question with Answer & Explanation
The correct answer is C: Align the impact subscore requirements to the predetermined system categorization.. CVSS’s Environmental metrics let you tune the Base scores to your own environment by adjusting the Security Requirements (CR, IR, AR) for Confidentiality, Integrity, and Availability. By mapping those impact weights to your system classification (for example, marking Integrity as
Question
Due to budget constraints, an organization created a policy that only permits vulnerabilities rated high and critical according to CVSS to be fixed or mitigated. A security analyst notices that many vulnerabilities that were previously scored as medium are now breaching higher thresholds. Upon further investigation, the analyst notices certain ratings are not aligned with the approved system categorization. Which of the following can the analyst do to get a better picture of the risk while adhering to the organization's policy?
Options
- AAlign the exploitability metrics to the predetermined system categorization.
- BAlign the remediation levels to the predetermined system categorization.
- CAlign the impact subscore requirements to the predetermined system categorization.
- DAlign the attack vectors to the predetermined system categorization.
Explanation
CVSS’s Environmental metrics let you tune the Base scores to your own environment by adjusting the Security Requirements (CR, IR, AR) for Confidentiality, Integrity, and Availability. By mapping those impact weights to your system classification (for example, marking Integrity as “High” for systems that can’t tolerate data corruption), you get a recalculated environmental score that more accurately reflects real-world risk, while still sticking to the organization’s policy of only remediating high/critical CVSS scores.
Community Discussion
No community discussion yet for this question.