Mechanisms exist to periodically review system configurations to identify and disable unnecessary and/or non-secure functions, ports, protocols and services.
Does the organization periodically review system configurations to identify and disable unnecessary and/or non-secure functions, ports, protocols and services?