nerdexam
(ISC)2

CISSP · Question #210

How does an organization verify that an information system's current hardware and software match the standard system configuration?

The correct answer is C. By comparing the actual configuration of the system against the baseline. Verifying that an information system matches its standard configuration requires comparing the actual system state against a documented baseline configuration.

Submitted by anjalisingh· Mar 5, 2026Security Operations

Question

How does an organization verify that an information system's current hardware and software match the standard system configuration?

Options

  • ABy reviewing the configuration after the system goes into production
  • BBy running vulnerability scanning tools on all devices in the environment
  • CBy comparing the actual configuration of the system against the baseline
  • DBy verifying all the approved security patches are implemented

How the community answered

(26 responses)
  • B
    4% (1)
  • C
    92% (24)
  • D
    4% (1)

Why each option

Verifying that an information system matches its standard configuration requires comparing the actual system state against a documented baseline configuration.

ABy reviewing the configuration after the system goes into production

Reviewing the configuration only after production deployment is a reactive, one-time check that does not constitute an ongoing or systematic verification process against a defined standard.

BBy running vulnerability scanning tools on all devices in the environment

Vulnerability scanning identifies known security weaknesses and missing patches but does not directly compare the full hardware/software inventory and settings against an approved standard configuration baseline.

CBy comparing the actual configuration of the system against the baselineCorrect

A configuration baseline is a documented, approved snapshot of a system's hardware and software settings at a specific point in time. Comparing the actual (current) configuration against this baseline is the standard method for detecting unauthorized changes, drift, or deviations from the approved standard. This practice is a core component of Configuration Management (CM) controls as defined in frameworks like NIST SP 800-53.

DBy verifying all the approved security patches are implemented

Verifying patch implementation is a subset of security hardening and patch management, which addresses only one aspect of configuration compliance rather than the complete hardware and software configuration state.

Concept tested: Configuration baseline comparison and configuration management

Source: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final

Topics

#configuration management#security baseline#system hardening#compliance

Community Discussion

No community discussion yet for this question.

Full CISSP Practice