A) Manually review the baselines daily and document the results in a change history log is not correct. This option would not prevent the recurrence of the problem, as it does not address the root cause of why the remote units did not recover after scans were performed. Moreover, this option would create an unsustainable process, as it would require a lot of time and resources to manually review and document the baselines of all assets on a daily basis.
C) Implement a new scanning technology to satisfy the monitoring requirement and train the team is not correct. This option would not guarantee that the problem would not recur, as it is possible that the new scanning technology would also cause issues with the remote units or other assets. Furthermore, this option would incur additional costs and efforts to acquire, deploy, and maintain the new scanning technology and train the team on how to use it.
D) Purchase new remote units from other vendors with a proven ability to support scanning requirements is not correct. This option would not be feasible or cost-effective, as it would require replacing all the remote units with new ones from different vendors. This option would also introduce new risks and challenges, such as compatibility, interoperability, or vendor lock-in.
Explanation:
The correct answer is B. Document exceptions with compensating controls to demonstrate the risk mitigation efforts. Compensating controls are alternative or additional controls that are implemented when the primary or required controls are not feasible or effective. Compensating controls can help to reduce the risk to an acceptable level and satisfy the regulatory requirements, as long as they are documented and justified1.