CompTIA Security Plus Mock Test Q259

A security engineer is given new application extensions each month that need to be secured prior to implementation. They do not want the new extensions to invalidate or interfere with existing application security. Additionally, the engineer wants to ensure that the new requirements are approved by the appropriate personnel. Which of the following should be in place to meet these two goals? (Select TWO).

A. Patch Audit Policy
B. Change Control Policy
C. Incident Management Policy
D. Regression Testing Policy
E. Escalation Policy
F. Application Audit Policy

Correct Answer: B,D
Section: Compliance and Operational Security

A backout (regression testing) is a reversion from a change that had negative consequences. It could be, for example, that everything was working fi ne until you installed a service pack on a production machine, and then services that were normally available were no longer accessible. The backout, in this instance, would revert the system to the state that it was in before the service pack was applied. Backout plans can include uninstalling service packs, hotfi xes, and patches, but they can also include reversing a migration and using previous firmware. A key component to creating such a plan is identifying what events will trigger your implementing the backout. A change control policy refers to the structured approach that is followed to secure a company’s assets in the event of changes occurring.

Incorrect Answers:
A: Patch Audit Policy refers to proper patch management and more the specific the evaluation thereof that should be in place to keep your systems up to date.
C: Incident management policies outline the steps followed when events occur (making sure controls are in place to prevent unauthorized access to, and changes of, all IT assets).
E: Escalation Policy is used to make sure that the right ppeol are alerted at the right time. If an incident is not acknowledged or resolved within an escalation time-out period, it is
passed on, or escalated to the next user/s in line.
F: Application Audit Policy refers to the process of evaluation regarding applications used on your network.

Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 10, 443