Certified Information Security Manager (CISM) — Question 960

A situation where an organization has unpatched IT systems in violation of the patching policy should be treated as:

Answer options

• A. an increased threat profile.
• B. a vulnerability management failure.
• C. an increased risk profile.
• D. a security control failure.

Correct answer: D

Explanation

The correct answer is D, as unpatched systems indicate that security controls meant to protect the organization are not functioning properly. Options A and C refer to threat and risk assessment rather than the failure of controls, while B suggests a broader failure in vulnerability management which doesn't specifically address the control aspect.