A business owner has raised concerns with the Chief Information Security Officer (CISO) because
money has been spent on IT security infrastructure, but corporate assets are still found to be
vulnerable. The business recently implemented a patch management product and SOE hardening
initiative. A third party auditor reported findings against the business because some systems were
missing patches. Which of the following statements BEST describes this situation?
A.
The business owner is at fault because they are responsible for patching the systems and have
already been given patch management and SOE hardening products.
B.
The audit findings are invalid because remedial steps have already been applied to patch
servers and the remediation takes time to complete.
C.
The CISO has not selected the correct controls and the audit findings should be assigned to
them instead of the business owner.
D.
Security controls are generally never 100% effective and gaps should be explained to
stakeholders and managed accordingly.