A security assessor is working with an organization to review the policies and procedures associated with managing the organization's virtual infrastructure.
During a review of the virtual environment, the assessor determines the organization is using servers to provide more than one primary function, which violates a regulatory requirement.
The assessor reviews hardening guides and determines policy allows for this configuration.
It would be MOST appropriate for the assessor to advise the organization to:
Click on the arrows to vote for the correct answer
A. B. C. D.C.
In this scenario, the security assessor has determined that the organization is violating a regulatory requirement by using servers to provide more than one primary function in their virtual environment. However, upon reviewing hardening guides, the assessor has found that the organization's policies allow for this configuration. The question asks what would be the most appropriate advice for the assessor to give to the organization.
Option A: Segment dual-purpose systems on a hardened network segment with no external access This option involves separating the dual-purpose systems onto a hardened network segment with no external access. This would help to mitigate the risk of the organization violating the regulatory requirement. By placing these systems on a separate segment, the organization can limit the number of individuals who have access to them and ensure that they are more secure. This option is a good recommendation because it addresses the violation of regulatory requirements while still allowing the organization to continue using dual-purpose systems.
Option B: Assess the risks associated with accepting non-compliance with regulatory requirements This option involves assessing the risks associated with non-compliance with regulatory requirements. While this is an important step to take, it does not provide a solution to the problem. Assessing the risks associated with non-compliance may help the organization make an informed decision, but it does not address the root of the problem.
Option C: Update system implementation procedures to comply with regulations This option involves updating the organization's system implementation procedures to comply with regulations. While this is a good recommendation, it may not be feasible or cost-effective for the organization. Additionally, this option does not address the immediate violation of the regulatory requirement.
Option D: Review regulatory requirements and implement new policies on any newly provisioned servers This option involves reviewing regulatory requirements and implementing new policies on any newly provisioned servers. While this is a good recommendation for the long-term, it does not address the immediate violation of the regulatory requirement. Additionally, it does not provide a solution for the current dual-purpose systems that are in use.
Based on the above analysis, option A is the most appropriate advice for the assessor to give to the organization. This option addresses the violation of regulatory requirements and provides a solution that allows the organization to continue using dual-purpose systems.