What should configuration standards for all system components address?

• A. Center for Internet Security (CIS); International Organization for Standardization (ISO); SysAdmin Audit Network Security (SANS) Institute; National Institute of Standards Technology (NIST)
• B. National security risk assessment guidelines
• C. Only vendor configuration guides
• D. Internal change control procedures

Answer: (A)

Configuration standards for all system components should reference established security benchmarks from widely recognized authorities. Using guidance from CIS, ISO, SANS, and NIST provides a comprehensive, vendor-neutral foundation for secure baselines, covering hardening practices, secure defaults, patch and vulnerability management, logging and monitoring, access controls, and how configurations should be managed across operating systems, networks, databases, and applications. Relying only on vendor configuration guides can leave gaps where products differ or where consistent, cross-product baselines are needed. National security risk assessment guidelines focus on evaluating risk rather than detailing concrete security settings. Internal change control procedures matter for governance, but they describe processes rather than the substantive configuration content themselves.