# Configuration Review and Benchmarks One-sentence definition: Compare system settings to baselines (CIS/STIG) to identify risk and drift. ## Key Facts - Evaluate OS, DB, middleware, network devices, cloud services. - Evidence: configs, screenshots, command outputs; verify sampling. - Automate with policy-as-code; track exceptions and waivers. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Choose config review for quick hygiene wins. **Mnemonic:** “**Bench** it, then **fix** it.” ## Mini Scenario Q: SSH allows root login—how found? A: Baseline comparison during config review. ## Revision Checklist - Two artifact types. - Exception handling. - Automation benefit. ## Related [[Network Vulnerability Scanning (Internal External)]] · [[Secure Management and Out-of-Band (OOB)]] · [[Security Metrics for Testing Programs]] · [[Remediation Verification and Regression Testing]] · [[Cloud Security Assessment (Shared Responsibility)]] · [[Domain 6 - Index]]