CISSP · Question #210
How does an organization verify that an information system's current hardware and software match the standard system configuration?
The correct answer is C. By comparing the actual configuration of the system against the baseline. Verifying that an information system matches its standard configuration requires comparing the actual system state against a documented baseline configuration.
Question
How does an organization verify that an information system's current hardware and software match the standard system configuration?
Options
- ABy reviewing the configuration after the system goes into production
- BBy running vulnerability scanning tools on all devices in the environment
- CBy comparing the actual configuration of the system against the baseline
- DBy verifying all the approved security patches are implemented
How the community answered
(26 responses)- B4% (1)
- C92% (24)
- D4% (1)
Why each option
Verifying that an information system matches its standard configuration requires comparing the actual system state against a documented baseline configuration.
Reviewing the configuration only after production deployment is a reactive, one-time check that does not constitute an ongoing or systematic verification process against a defined standard.
Vulnerability scanning identifies known security weaknesses and missing patches but does not directly compare the full hardware/software inventory and settings against an approved standard configuration baseline.
A configuration baseline is a documented, approved snapshot of a system's hardware and software settings at a specific point in time. Comparing the actual (current) configuration against this baseline is the standard method for detecting unauthorized changes, drift, or deviations from the approved standard. This practice is a core component of Configuration Management (CM) controls as defined in frameworks like NIST SP 800-53.
Verifying patch implementation is a subset of security hardening and patch management, which addresses only one aspect of configuration compliance rather than the complete hardware and software configuration state.
Concept tested: Configuration baseline comparison and configuration management
Source: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
Topics
Community Discussion
No community discussion yet for this question.