CompTIA Updated CAS-005 Exam Questions and Answers by neriah

The best answer is D. Deploying a dedicated base station and reducing the footprint with highly directional antennas . The biggest risk in the scenario is that unencrypted control traffic is traversing the internet over a cellular network . Since encryption is not feasible, the best compensating control is to reduce exposure by making the wireless path more private, more local, and less accessible to unintended parties. A dedicated base station with directional antennas narrows the RF footprint and reduces interception and unauthorized access opportunities compared with broad internet-based cellular exposure. CompTIA’s SecurityX objectives emphasize Security Architecture , including secure boundaries, compensating controls, and resilient design choices when ideal controls cannot be used.

Why the other options are not best:

A is helpful as a detective control, but it does not reduce the core exposure of unencrypted communications over public infrastructure. B is impractical and technically weak here; standard Cat 5e is not the right medium for a 0.5-mile river crossing. C may detect post-compromise changes, but it does not reduce the likelihood of network compromise in the first place. Because encryption cannot be used, the best risk-reduction strategy is to minimize signal exposure and dependence on public internet-connected cellular paths.

SecurityX CAS-005 emphasizes automation with validation in security operations. Security Orchestration, Automation, and Response (SOAR) platforms can integrate with Threat Intelligence Platforms (TIPs) to verify threat indicators before triggering automated endpoint isolation through EDR APIs. This approach reduces the spread of malware while minimizing the chance of isolating clean systems due to false positives.

Isolating endpoints on any alert (B) is high-risk and can disrupt business operations.

Manual review (C) is too slow for fast-moving threats.

Suppressing alerts (D) risks missing critical events entirely.

The best answer is C. Privacy regulations . A data subject access request process exists to support an individual’s right to access their personal data. Regulators and official privacy guidance define this as a core privacy right. The UK ICO explains that the “right of access, commonly referred to as subject access, gives individuals the right to obtain a copy of their personal data” , and Article 15 GDPR establishes the same right in law. Because the security officer is asking a third party to prove it can handle these requests, the officer is clearly validating compliance with privacy law and related data protection obligations.

This also aligns with CompTIA SecurityX’s GRC focus on compliance requirements, program documentation, and data governance. A third party that processes personal data for the enterprise must be able to respond appropriately to access requests from data subjects, so confirming that process is a due diligence activity tied to regulatory privacy compliance rather than e-discovery, certification, or generic reporting frameworks.

Why the other options are incorrect:

A. Information security standards may require good practices, but DSAR handling is specifically about privacy rights. B. E-discovery requirements relate to legal discovery and litigation processes, not an individual’s privacy access rights. D. Certification requirements and E. Reporting frameworks are not the primary reason an organization must support subject access requests. The clearest and most accurate answer is privacy regulations.