Question

A vulnerability in the customer relationship management (CRM) software is being exploited by malicious hackers. The CRM vendor indicated that a quick-fix to the software will not be available for a week. The patch management process will take another 3 days to complete after receiving the quick-fix. What compensating control should be put in place to protect the CRM system and customers’ personal data in the meantime?

A. Inform customers about the situation and the potential risk to their personal data.
B. Monitor the CRM system and review the system logs for anomalies on a daily basis.
C. Shut down the CRM system until the patch is installed and email customers about delays.
D. Shorten the testing period for the patch management process to release the patch sooner.

Answer 1

The most effective compensating control before a patch is available for the CRM vulnerability is to monitor the CRM system and review logs for anomalies daily, allowing for early threat detection and prevention.

Step-by-step explanation:

Considering the scenario in which a vulnerability in a customer relationship management (CRM) software is being exploited, and the patch will not be available for a week, plus an additional 3 days for the patch management process, a compensating control should be put in place to temporarily mitigate the risk to the CRM system and customers’ personal data. An effective compensating control in this case would be:

• Monitor the CRM system and review the system logs for anomalies on a daily basis. This proactive approach allows for the early detection of any suspicious activities, providing an opportunity to address potential threats before they can cause significant harm.

Informing customers about the situation may result in unnecessary panic and could impact the company's reputation, while shutting down the CRM system could disrupt business operations. Moreover, shortening the testing period for the patch management process could lead to incomplete testing and potentially new vulnerabilities.