A Chief Financial Officer (CFO) has raised concerns with the Chief Information Security Officer (CISO) because money has been spent on IT security infrastructure, but corporate assets are still found to be vulnerable. The business recently funded a patch management product and SOE hardening initiative. A third party auditor reported findings against the business because some systems were missing patches. Which of the following statements BEST describes this situation?
A . The CFO is at fault because they are responsible for patching the systems and have already been given patch management and SOE hardening products.
B . The audit findings are invalid because remedial steps have already been applied to patch servers and the remediation takes time to complete.
C . The CISO has not selected the correct controls and the audit findings should be assigned to them instead of the CF
E . Security controls are generally never 100% effective and gaps should be explained to stakeholders and managed accordingly.
Answer: D
Leave a Reply