Certified in Risk and Information Systems Control (CRISC) — Question 1376

Which of the following represents a vulnerability?

Answer options

• A. An employee recently fired for insubordination
• B. An identity thief seeking to acquire personal financial data from an organization
• C. Media recognition of an organization's market leadership in its industry
• D. A standard procedure for applying software patches two weeks after release

Correct answer: D

Explanation

Option D is correct because delaying the application of software patches can leave a system vulnerable to exploitation. Options A and C do not indicate vulnerabilities, as they relate to personnel and reputation, respectively. Option B describes a threat rather than a vulnerability.