Chapter 5 Β· Quiz

Gap Analysis Quiz

Multiple choice, matching, analysis, and evaluation questions.

Part A β€” Multiple Choice

Q1
What is the PRIMARY purpose of a gap analysis in information security?
βœ… Correct: B. A gap analysis compares where you are to where you need to be. It identifies the gaps β€” it doesn't fix them directly (that's the remediation roadmap).
Q2
Which NIST document specifically addresses protecting Controlled Unclassified Information in nonfederal systems?
βœ… Correct: C β€” NIST SP 800-171 Rev 2. Full title: "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations." This is the standard referenced in the SY0-701 curriculum for gap analysis baselines.
Q3
In a gap analysis traffic light matrix, what does a RED cell indicate?
βœ… Correct: C. Red indicates significant gaps from the baseline. Remediation should start with red locations, then yellow, then address any remaining green maintenance needs.
Q4
Before beginning a gap analysis, an organization must FIRST:
βœ… Correct: B. The baseline is the prerequisite. Without a defined target state, there is nothing to measure the current state against β€” no gap can be identified.
Q5
A gap analysis report contains more than just a list of current security gaps. What additional critical element must it include?
βœ… Correct: B. The gap analysis report must include the PATH to improvement β€” not just what's wrong. Costs, timeline, change control requirements, and specific recommendations are all required components.

Part B β€” Matching

Match each baseline to its description.

BASELINE

NIST SP 800-171
ISO/IEC 27001
Custom Baseline
Red in the matrix

DESCRIPTION

Protecting CUI in nonfederal systems
International ISMS standard
Organization-specific requirements
Highest priority remediation

Part C β€” Analysis

Q6 β€” Analyze
An organization skips the baseline-selection step and immediately begins evaluating their current security processes. What is the fundamental problem with this approach?
βœ… Correct: B. A gap is the difference between current state and desired state. Without defining the desired state first, you can document current state β€” but you have no reference point against which to identify gaps. The entire analytical value of the gap analysis is lost.

Part D β€” Evaluation

Q7 β€” Evaluate
A gap analysis of 7 locations shows 3 locations are red, 3 are yellow, and 1 is green. Limited budget allows remediation at only 2 locations this year. How should the organization prioritize and justify its decision?
βœ… Correct: C. Red locations have the most significant gaps and highest risk. Among reds, prioritize by impact (employee count, sensitive data handled, business criticality). This maximizes risk reduction per dollar spent. The gap analysis report should explicitly document this prioritization rationale.
0/7
Questions Answered Correctly