The exam will present scenarios where an organization "has a security baseline" but is still experiencing security failures. The trick is recognizing that a baseline document sitting on a SharePoint server does nothing. The control is the automated tooling that deploys, enforces, and monitors the baseline on actual systems. When a question asks what is missing or what should be added, look for the enforcement mechanism β not more documentation.
Exam questions on configuration drift often describe symptoms β systems that appear healthy but have degraded security posture β and ask for the cause or the solution. The key characteristics of drift: it happens gradually (not in a single event), it is invisible without active monitoring, and each individual change may seem minor while the cumulative effect is significant. The detection mechanism is integrity measurement / continuous monitoring; the response to detected drift is immediate investigation and remediation.
The exam may ask where security baselines come from or what the starting point is for building one. The answer is always manufacturer recommendations β not internal policy, not guesswork. Three sources: application developer, OS manufacturer, appliance manufacturer. For Windows specifically, Microsoft's Security Compliance Toolkit (SCT) is the named tool. Organizations start there and adapt for their context.
The exam distinguishes between settings that rarely change (stable best practices) and situations that require active baseline updates. Know the three triggers for baseline updates cold: new vulnerability discovered, application updated, new OS installed. A question describing one of these situations and asking what should be done β the answer involves updating the baseline, not just patching or waiting.