Sara, a security manager, has decided to force expiration of all company passwords by the close of
business day. Which of the following BEST supports this reasoning?

A.
A recent security breach in which passwords were cracked.

B.
Implementation of configuration management processes.

C.
Enforcement of password complexity requirements.

D.
Implementation of account lockout procedures.

Explanation:
A password only needs to be changed if it doesn’t meet the compliance requirements of the company’s
password policy, or is evidently insecure. It will also need to be changed if it has been reused, or due to
possible compromise as a result of a system intrusion.
Incorrect Answers:
B: Configuration management provides visibility and control of a system’s performance, as well as its
functional and physical attributes.
C: Password complexity normally requires a minimum of three out of four standard character types to be
represented in the password. It would not require forcing expiration of all company passwords by the
close of business day.
D: Account lockout automatically disables an account due to repeated failed log on attempts. It would not
require forcing expiration of all company passwords by the close of business day.

Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp. 292, 293
http://en.wikipedia.org/wiki/Configuration_management