Question 144 of 270 from exam CAS-003: CompTIA CASP+

Prev Question Next Question

Question

Click on the exhibit buttons to view the four messages.

Message 1

Ce)

send | (Ce: )

Subject: [Security Escalation for Projectx

11am escalating a security issue for ProjectX, which is an initiative to deliver exciting banking
features to customers, with an initial release scheduled for next week.

‘The project had originally planned to implement storage-tevel encryption of customer details, but it
is unable to deliver this security control in time for next week's launch. The impact will be
minimized if the project agres on a post-launch mitigation date for this security control, as well as
implementing detective controls in the interim (Le., additional staff performing log monitoring of all
calls to the storage module).

Is leadership willing to accept this project risk or are additional detalls needed to be able to reach a
decision?

Message 2

Ce)

send | (Cc: )

Subject: [Security Vulnerability for Projectx

thas come to my attention that Projectx has a security vulnerability. The storage module does not
encrypt sensitive customer details, and this could lead to a data breach, resulting in negative
‘media attention.

‘My recommendation is to delay the launch until this secunty control is implemented. Do you
concur?

Message 3

send | (C 5)

Subject: [ALERT - Security Risks

Projectx is not encrypting customer datal! This is probably a compliance issue. | really think the
project should be put on hold until this ertical vulnerability is fixed. The project team is not listening

{to me even though | told them they need to encrypt customer data. Can you please tell them this.
really needs to be fixed?

Message 4

Cte: )
Send | (Ce: )
‘Subjec

Sensitive-Secunty

‘As you may be aware, ProjectX is our new flagship customer banking platform in development, and,
itis launching next week with an initial set of features. The features include customer banking
details, which are going to be real game-changers compared to what our competition is doing: so,
the release is obviously an important and timely one.

However, the oroiect team has been delayed with functional bugs and has not been able

to implement all of the security controls that were agreed upon. The one | am really concerned about

is encryption of customer details in the storage module. We had several meetings and came to an
agreement that this would be done with AES-256 in GCM mode and by rotating the encryption key
every 30 days to limit the effect of a key compromise. if one were to occur. This AES code has not
been implemented yet and would probably take another week or two to implement and test. This would

‘obviously delay the launch, Is leadership comfortable accepting any consequences that may occur due
to lack of encryption?

A security architect is working with a project team to deliver an important service that stores and processes customer banking details.

The project, internally known as ProjectX, is due to launch its first set of features publicly within a week, but the team has not been able to implement encryption-at-rest of the customer records.

The security architect is drafting an escalation email to senior leadership.

Which of the following BEST conveys the business impact for senior leadership?

Answers

A. Message 1

B. Message 2

C. Message 3

D. Message 4

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Prev Question Next Question