Given the scenario where the security assessor identified gaps but chose not to report them, the

primary violation is with "due diligence." The assessor did not complete the due diligence process

by withholding critical information. If the assessor had identified the gaps $($due diligence$)$ and then

did nothing to address or rectify those gaps $($despite knowing about them$),$ that would be a

violation of "due care."

Due diligence: refers to the investigations and research conducted before taking an action.

Due care: is about taking the necessary steps to mitigate the risks and threats that have been

identified through due diligence.

Due diligence need to happen before dual care. In the given scenario, the internal security

assessor never did the duel diligence part.

QUESTION $346$

An organization offers SaaS services through a public email and storage provider. To facilitate

password resets, a simple online system is set up$.$ During a routine check of the storage each

month, a significant increase in use of storage can be seen. Which of the following techniques

would remediate the attack?

A$.$ Including input sanitization to the logon page

B$.$ Configuring an account lockout policy

C$.$ Implementing a new password reset system

D$.$ Adding MFA to all accounts