Exam CISSP topic 1 question 278 discussion

Ref URL: https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=901613 Ref Text: Audit and Assessment Systematic audit and assessment is critical to gauge the success and extent of patch management efforts. After patch deployment, organizations should verify that they have fixed or mitigated vulnerabilities as intended. They can accomplish this by reviewing patch logs to verify whether the recommended patchers were installed properly, conducting follow-up scans, and conducting penetration tests to make sure their systems aren’t vulnerable to the exploit code the patch is designed to thwart.

Answer A, because in change mgmt , we would have to put test results (successful/fail) to close the change

D. Auditing and assessment........if the question had used the word "ensure" instead of "determine" in that case i would have picked answer A. Change Management. Since the question is asking for "the BEST way to determine the success" instead of "the BEST way to ensure the success", the correct answer is therefore D. Auditing and assessment.

it's D.

This question talks about the success of a process. It doesn't matter what the process is, I think "patching" is there to throw you off. Audit is really the best way to see if your process was successful or not. Also here it talks abut audit, nothing about change management: https://purplesec.us/learn/vulnerability-management-metrics/

D. Auditing and assessment is the best way to determine the success of a patch management process. Auditing involves regularly reviewing the patch management process to ensure that it is being implemented correctly and that all necessary patches are being applied. Assessment involves evaluating the effectiveness of the patch management process in reducing vulnerabilities and mitigating risks. Together, auditing and assessment provide a comprehensive view of the patch management process and allow for identification of areas for improvement.

From the CISSP Official Study Guide - 'Verifying that patches are deployed: After deploying patches, administrators regularly test and audit systems to unsure they are patched. Many deployment tools include the agility to audit systems. Additionally, many vulnerabilities assessment tools include the ability to check systems to ensure that they have the appropriate patches.'

D. OSG 9th edition. Page 790. after deploying patches, admins regularly test and audit systems...

Struggling between A and D. Part of the Change management is to test, and document the change once it is completed. Auditing and Assessment also can be the answer, for example security team uses Nessus scanner to make sure (assessing) servers do not have vulnerabilities.

patch management are usually part of Enterprise Change Management. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-40r4.pdf "administrative activities occurring throughout the software vulnerability management life cycle, such as updating documentation, audit logging, and generating actionable insights and reports as part of enterprise change management. Having robust change management policies and processes in place is a fundamental part of software vulnerability management"

It should be A, which it should be approved by management and tested by change management, and then leads to successful patch