Chapter 5 Β· Tricks & Performance

Trick Questions & Performance Tasks

Common exam traps for Gap Analysis.

⚠️ Think before you reveal.

🎯 Trick 1 β€” Gap Analysis β‰  Penetration Test

An exam question asks: "A security team wants to understand how their current defenses compare to industry best practices." A student answers "penetration testing." Is this correct?

No β€” this describes a gap analysis.

The key phrase is "compare to best practices/baseline." That's gap analysis language. A penetration test actively exploits vulnerabilities β€” it doesn't compare to a framework. When you see "compare current state to desired state" or "identify where we fall short of a standard" β†’ gap analysis. When you see "attempt to breach systems" or "test exploitability" β†’ penetration test.

🎯 Trick 2 β€” The Report Must Include the PATH

A gap analysis report documents all identified security gaps. A manager says: "Great, now I know what's wrong." Is the gap analysis complete?

No β€” an incomplete gap analysis.

The gap analysis report must include MORE than just the current gaps. It must include:
β€’ The remediation roadmap (how to close each gap)
β€’ Cost estimates
β€’ Timeline for implementation
β€’ Change control requirements

Without the PATH forward, the report tells you where you are but not how to get where you need to be. That's only half the analysis.

🎯 Trick 3 β€” NIST 800-171 vs. NIST 800-53

Which NIST document is referenced specifically in the CompTIA SY0-701 curriculum for gap analysis? Students sometimes confuse 800-53 and 800-171.

NIST SP 800-171 is the one in the SY0-701 curriculum.

β€’ NIST 800-171: "Protecting CUI in Nonfederal Systems" β€” for organizations that handle government information but aren't government agencies.
β€’ NIST 800-53: "Security and Privacy Controls for Information Systems and Organizations" β€” primarily for federal agencies.

On the exam, if asked about protecting CUI in nonfederal systems β†’ 800-171. If asked about federal government controls β†’ 800-53.

🎯 Trick 4 β€” Change Control in Remediation

After a gap analysis, a team immediately begins installing patches and reconfiguring firewalls at a hospital to close the identified gaps. No change control process is followed. What could go wrong?

Uncontrolled changes can cause outages or unexpected failures.

In a hospital: an uncoordinated firewall change could block critical medical device communication. An unplanned patch might cause system instability on life-support monitoring equipment. Change control ensures changes are tested, scheduled during maintenance windows, and approved by stakeholders β€” preventing the "cure" from being worse than the disease.

🎯 Performance Task β€” Prioritize the Matrix

Given this matrix result: Campuses A, B, C are Red. Campuses D, E are Yellow. Campus F is Green. Budget allows full remediation at only 2 campuses this year. Campus A serves 2,000 employees and houses the primary data center. Campus B serves 200 employees. Campus C processes financial transactions. Justify your remediation priority.

Priority 1: Campus A β€” Red + 2,000 employees + primary data center = maximum risk surface. A breach here impacts the entire organization.

Priority 2: Campus C β€” Red + financial transactions = high regulatory risk (PCI-DSS) and financial exposure. A breach could result in fines, fraud, and reputational damage.

Defer: Campus B (Red but smallest impact), Campuses D/E (Yellow β€” partial compliance, manageable risk), Campus F (Green β€” maintain, don't overhaul).

Justification: Risk = Likelihood Γ— Impact. Start with highest-impact gaps in critical systems.

🎯 Trick 5 β€” How Long Is "Too Long"?

A student assumes a gap analysis takes 1-2 weeks. Their answer on an essay question reflects this. What's the correct expectation?

Gap analyses commonly take weeks, months, or even years.

For a large, multi-location organization, a thorough gap analysis involving dozens of stakeholders, hundreds of control requirements, and extensive data collection easily takes 3-12 months. The SY0-701 curriculum explicitly notes this complexity. On the exam, if asked about timeframe: the correct answer acknowledges the process is lengthy and resource-intensive.