The best answer is A. Internal self-assessment.
A gap analysis is used to compare the organization’s current security, compliance, or control posture against a required standard, framework, or regulatory requirement. If the company wants to do this in the most cost-effective way, an internal self-assessment is the best choice because it allows the organization to review its own policies, procedures, controls, and documentation without the added expense of external testing or specialized attack simulations.
Why the other options are incorrect:
B. Active reconnaissanceActive reconnaissance involves directly interacting with systems to gather information, often as part of security testing or attack emulation. It is not the best option for a compliance-focused gap analysis.
C. Red team penetration testA red team exercise is more advanced and expensive. It simulates real-world attacks to test detection and response capabilities. This is valuable for security maturity, but it is not the most cost-effective method for identifying compliance gaps before an audit.
D. Tabletop exerciseA tabletop exercise is a discussion-based activity used to test incident response plans, communication, and decision-making. It does not primarily identify regulatory compliance gaps.
From a Security+ perspective, self-assessments, audits, and gap analyses are part of governance, risk, and compliance activities. For a low-cost review against regulatory requirements, internal self-assessment is the most appropriate answer.
