CAS-003 · Question #184
A Chief Financial Officer (CFO) has raised concerns with the Chief Information Security Officer (CISO) because money has been spent on IT security infrastructure, but corporate assets are still found
The correct answer is D. Security controls are generally never 100% effective and gaps should be explained to. Security controls can never be run 100% effective and is mainly observed as a risk mitigation strategy thus the gaps should be explained to all stakeholders and managed accordingly.
Question
A Chief Financial Officer (CFO) has raised concerns with the Chief Information Security Officer (CISO) because money has been spent on IT security infrastructure, but corporate assets are still found to be vulnerable. The business recently funded a patch management product and SOE hardening initiative. A third party auditor reported findings against the business because some systems were missing patches. Which of the following statements BEST describes this situation?
Options
- AThe CFO is at fault because they are responsible for patching the systems and have already
- BThe audit findings are invalid because remedial steps have already been applied to patch servers
- CThe CISO has not selected the correct controls and the audit findings should be assigned to them
- DSecurity controls are generally never 100% effective and gaps should be explained to
How the community answered
(29 responses)- A3% (1)
- B3% (1)
- C10% (3)
- D83% (24)
Explanation
Security controls can never be run 100% effective and is mainly observed as a risk mitigation strategy thus the gaps should be explained to all stakeholders and managed accordingly.
Topics
Community Discussion
No community discussion yet for this question.