π― Trick 1 β Gap Analysis β Penetration Test
An exam question asks: "A security team wants to understand how their current defenses compare to industry best practices." A student answers "penetration testing." Is this correct?
The key phrase is "compare to best practices/baseline." That's gap analysis language. A penetration test actively exploits vulnerabilities β it doesn't compare to a framework. When you see "compare current state to desired state" or "identify where we fall short of a standard" β gap analysis. When you see "attempt to breach systems" or "test exploitability" β penetration test.
π― Trick 2 β The Report Must Include the PATH
A gap analysis report documents all identified security gaps. A manager says: "Great, now I know what's wrong." Is the gap analysis complete?
The gap analysis report must include MORE than just the current gaps. It must include:
β’ The remediation roadmap (how to close each gap)
β’ Cost estimates
β’ Timeline for implementation
β’ Change control requirements
Without the PATH forward, the report tells you where you are but not how to get where you need to be. That's only half the analysis.
π― Trick 3 β NIST 800-171 vs. NIST 800-53
Which NIST document is referenced specifically in the CompTIA SY0-701 curriculum for gap analysis? Students sometimes confuse 800-53 and 800-171.
β’ NIST 800-171: "Protecting CUI in Nonfederal Systems" β for organizations that handle government information but aren't government agencies.
β’ NIST 800-53: "Security and Privacy Controls for Information Systems and Organizations" β primarily for federal agencies.
On the exam, if asked about protecting CUI in nonfederal systems β 800-171. If asked about federal government controls β 800-53.
π― Trick 4 β Change Control in Remediation
After a gap analysis, a team immediately begins installing patches and reconfiguring firewalls at a hospital to close the identified gaps. No change control process is followed. What could go wrong?
In a hospital: an uncoordinated firewall change could block critical medical device communication. An unplanned patch might cause system instability on life-support monitoring equipment. Change control ensures changes are tested, scheduled during maintenance windows, and approved by stakeholders β preventing the "cure" from being worse than the disease.
π― Performance Task β Prioritize the Matrix
Given this matrix result: Campuses A, B, C are Red. Campuses D, E are Yellow. Campus F is Green. Budget allows full remediation at only 2 campuses this year. Campus A serves 2,000 employees and houses the primary data center. Campus B serves 200 employees. Campus C processes financial transactions. Justify your remediation priority.
Priority 2: Campus C β Red + financial transactions = high regulatory risk (PCI-DSS) and financial exposure. A breach could result in fines, fraud, and reputational damage.
Defer: Campus B (Red but smallest impact), Campuses D/E (Yellow β partial compliance, manageable risk), Campus F (Green β maintain, don't overhaul).
Justification: Risk = Likelihood Γ Impact. Start with highest-impact gaps in critical systems.
π― Trick 5 β How Long Is "Too Long"?
A student assumes a gap analysis takes 1-2 weeks. Their answer on an essay question reflects this. What's the correct expectation?
For a large, multi-location organization, a thorough gap analysis involving dozens of stakeholders, hundreds of control requirements, and extensive data collection easily takes 3-12 months. The SY0-701 curriculum explicitly notes this complexity. On the exam, if asked about timeframe: the correct answer acknowledges the process is lengthy and resource-intensive.