Explanation/Reference:
Explanation:
The major benefit of implementing a security program is management's assessment of risk and its mitigation to an appropriate level of risk, and the monitoring of the remaining residual risks.
Recommendations, visions and objectives of the auditor and the chief information security officer (CISO) are usually included within a security program, but they would not be the major benefit. The cost of IT security may or may not be reduced.

Explanation/Reference:
Explanation:
The certificate authority maintains a directory of digital certificates for the reference of those receiving them, it manages the certificate life cycle, including certificate directory maintenance and certificate revocation list maintenance and publication. Choice A is not correct because a registration authority is an optional entity that is responsible for the administrative tasks associated with registering the end entity that is the subject of the certificate issued by the CA. Choice C is incorrect since a CRL is an instrument for checking the continued validity of the certificates for which the CA has responsibility. Choice D is incorrect because a certification practice statement is a detailed set of rules governing the certificate authority's operations.

Section: Protection of Information Assets
Explanation:
The most effective method is to determine through code comparisons what changes have been made and
then verify that they have been approved. Change control records and software migration records may not
have all changes listed. Ensuring that only appropriate staff can migrate changes into production is a key
control process, but in itself does not verify compliance.