COMPTIA CYBERSECURITY ANALYST
(CYSA+) 2.0 VULNERABILITY
MANAGEMENT. EXAM QUESTIONS AND
ANSWERS. VERIFIED 2025/2026.
- Regulatory environments - ANS an environment in which an organization exists or operates
that is controlled to a significant degree by laws, rules, or regulations put in place by
government (federal, state, or local), industry groups, or other organizations. In a nutshell, it is
what happens when you have to play by someone else's rules, or else risk serious
consequences. A common feature of this is that they have enforcement groups and procedures
to deal with noncompliance. Examples include, HIPPA, ISO/IEC 27001, PCI DSS and GLBA.
Health Insurance Portability and Accountability Act of 1996 (HIPPA) - ANS United States law
enacted in 1996 to provide data privacy and security provisions for safeguarding medical
information. It does not specifically require that an organization conduct vulnerability scanning.
It establishes penalties (ranging from $100 to 1.5 million) for covered entities that fail to
safeguard phi.
Gramm-Leach-Bliley Act (GLBA) - ANS A law that requires banks and financial institutions to
alert customers of their policies and practices in disclosing customer information. It does not
specifically require that an organization conduct vulnerability scanning.
PCI DSS (Payment Card Industry Data Security Standard) - ANS A global standard for
protecting stored, processed, or transmitted payment card information.
1 @COPYRIGHT 2025/2026 ALLRIGHTS RESERVED.
,ISO/IEC 27001 (The International Organization for Standardization/International Electrotechnical
Commission) - ANS Specifies requirements for establishing, implementing, operating,
monitoring, reviewing, maintaining and improving a documented information security
management system. It is is arguably the most popular voluntary security standard in the world
and covers every important aspect of developing and maintaining good information security.
Federal Information Security Management Act of 2002 (FISMA) - ANS is United States
legislation that defines a comprehensive framework to protect government information,
operations and assets against natural or man-made threats. It requires that government
agencies and other organizations OS's on behalf of government agencies comply with a series of
security standards.
Federal Information Processing Standards (FIPS) - ANS a set of standards that describe
document processing, encryption algorithms and other information technology standards for
use within non-military government agencies and by government contractors and vendors who
work with the agencies.
- Corporate policy - ANS is an overall general statement produced by senior management (or
a selected policy board or committee) that dictates what role security plays within the
organization.
Security policy - ANS can be organizational, issue specific, or system specific.
Organizational Security Policy - ANS management establishes how a security program will be
set up, lays out the program's goals, assigns responsibilities, shows the strategic and tactical
value of security, and outlines how enforcement should be carried out.
Issue Specific Security Policy - ANS also called a functional policy, addresses specific security
issues that management feels need more detailed explanation and attention to make sure a
comprehensive structure is built and all employees understand how they are to comply with
these security issues.
System Specific Security Policy - ANS Presents the management's decisions that are specific
to the actual computers, networks and applications
2 @COPYRIGHT 2025/2026 ALLRIGHTS RESERVED.
, - Data classification - ANS An important item of metadata that should be attached to all data
is a classification level. This classification tag is important in determining the protective controls
we apply to the information.
•Private Information whose improper disclosure could raise personal privacy issues
•Confidential Data that could cause grave damage to the organization
•Proprietary (or sensitive) Data that could cause some damage, such as loss of competitiveness
to the organization
•Public Data whose release would have no adverse effect on the organization
- Asset inventory - ANS -Critical
- Non-critical
Critical (Critical Asset) - ANS is anything that is absolutely essential to performing the primary
functions of your organization. This set would include your web platforms, data servers, and
financial systems. They also require a higher degree of attention when it comes to vulnerability
scanning; the thoroughness of each scan and the frequency of each scan.
Noncritical (Noncritical asset) - ANS though valuable, is not required for the accomplishment
of your main mission as an organization. They should still be included in your vulnerability
management plan but given limited resources and placed at a lower priority.
Common Vulnerabilities - ANS •Missing patches/updates A system could be missing patches
or updates for numerous reasons. If the reason is legitimate (for example, an industrial control
system that cannot be taken offline), then this vulnerability should be noted, tracked, and
mitigated using an alternate control.
•Misconfigured firewall rules Whether or not a device has its own firewall, the ability to reach it
across the network, which should be restricted by firewalls or other means of segmentation, is
oftentimes lacking.
3 @COPYRIGHT 2025/2026 ALLRIGHTS RESERVED.
(CYSA+) 2.0 VULNERABILITY
MANAGEMENT. EXAM QUESTIONS AND
ANSWERS. VERIFIED 2025/2026.
- Regulatory environments - ANS an environment in which an organization exists or operates
that is controlled to a significant degree by laws, rules, or regulations put in place by
government (federal, state, or local), industry groups, or other organizations. In a nutshell, it is
what happens when you have to play by someone else's rules, or else risk serious
consequences. A common feature of this is that they have enforcement groups and procedures
to deal with noncompliance. Examples include, HIPPA, ISO/IEC 27001, PCI DSS and GLBA.
Health Insurance Portability and Accountability Act of 1996 (HIPPA) - ANS United States law
enacted in 1996 to provide data privacy and security provisions for safeguarding medical
information. It does not specifically require that an organization conduct vulnerability scanning.
It establishes penalties (ranging from $100 to 1.5 million) for covered entities that fail to
safeguard phi.
Gramm-Leach-Bliley Act (GLBA) - ANS A law that requires banks and financial institutions to
alert customers of their policies and practices in disclosing customer information. It does not
specifically require that an organization conduct vulnerability scanning.
PCI DSS (Payment Card Industry Data Security Standard) - ANS A global standard for
protecting stored, processed, or transmitted payment card information.
1 @COPYRIGHT 2025/2026 ALLRIGHTS RESERVED.
,ISO/IEC 27001 (The International Organization for Standardization/International Electrotechnical
Commission) - ANS Specifies requirements for establishing, implementing, operating,
monitoring, reviewing, maintaining and improving a documented information security
management system. It is is arguably the most popular voluntary security standard in the world
and covers every important aspect of developing and maintaining good information security.
Federal Information Security Management Act of 2002 (FISMA) - ANS is United States
legislation that defines a comprehensive framework to protect government information,
operations and assets against natural or man-made threats. It requires that government
agencies and other organizations OS's on behalf of government agencies comply with a series of
security standards.
Federal Information Processing Standards (FIPS) - ANS a set of standards that describe
document processing, encryption algorithms and other information technology standards for
use within non-military government agencies and by government contractors and vendors who
work with the agencies.
- Corporate policy - ANS is an overall general statement produced by senior management (or
a selected policy board or committee) that dictates what role security plays within the
organization.
Security policy - ANS can be organizational, issue specific, or system specific.
Organizational Security Policy - ANS management establishes how a security program will be
set up, lays out the program's goals, assigns responsibilities, shows the strategic and tactical
value of security, and outlines how enforcement should be carried out.
Issue Specific Security Policy - ANS also called a functional policy, addresses specific security
issues that management feels need more detailed explanation and attention to make sure a
comprehensive structure is built and all employees understand how they are to comply with
these security issues.
System Specific Security Policy - ANS Presents the management's decisions that are specific
to the actual computers, networks and applications
2 @COPYRIGHT 2025/2026 ALLRIGHTS RESERVED.
, - Data classification - ANS An important item of metadata that should be attached to all data
is a classification level. This classification tag is important in determining the protective controls
we apply to the information.
•Private Information whose improper disclosure could raise personal privacy issues
•Confidential Data that could cause grave damage to the organization
•Proprietary (or sensitive) Data that could cause some damage, such as loss of competitiveness
to the organization
•Public Data whose release would have no adverse effect on the organization
- Asset inventory - ANS -Critical
- Non-critical
Critical (Critical Asset) - ANS is anything that is absolutely essential to performing the primary
functions of your organization. This set would include your web platforms, data servers, and
financial systems. They also require a higher degree of attention when it comes to vulnerability
scanning; the thoroughness of each scan and the frequency of each scan.
Noncritical (Noncritical asset) - ANS though valuable, is not required for the accomplishment
of your main mission as an organization. They should still be included in your vulnerability
management plan but given limited resources and placed at a lower priority.
Common Vulnerabilities - ANS •Missing patches/updates A system could be missing patches
or updates for numerous reasons. If the reason is legitimate (for example, an industrial control
system that cannot be taken offline), then this vulnerability should be noted, tracked, and
mitigated using an alternate control.
•Misconfigured firewall rules Whether or not a device has its own firewall, the ability to reach it
across the network, which should be restricted by firewalls or other means of segmentation, is
oftentimes lacking.
3 @COPYRIGHT 2025/2026 ALLRIGHTS RESERVED.
