The correct answer isDbecause thesystem ownershould own and drive mitigation of noncompliant platforms. The issue described is a platform noncompliance problem affecting processing and failing to meet approved standards. Ownership of the affected system includes accountability for ensuring that systems meet required security, operational, and performance standards, and for driving corrective action when deficiencies are identified.

The other options are less appropriate:

A. Configuration managermay support configuration control, but does not own the platform risk.

B. Change managercoordinates changes, but is not accountable for the system’s compliance posture.

C. Release managermanages deployments and releases, but does not own ongoing platform compliance and mitigation.

Exact Extracts supporting the answer:

“During the accreditation process the primary role of the system owner is to select and document the security controls for the system.”

“For an IT system supporting a critical business process senior managers should be accountable for the risk.”

“To ensure that identified risk remains at an acceptable level the BEST approach is reviewing controls periodically according to the risk treatment plan.”

“The PRIMARY reason an external risk assessment team reviews documentation as the first step in the risk assessment is to gain a thorough understanding of the enterprise’s business processes.”

“The BEST way to ensure appropriate mitigation occurs on identified information systems vulnerabilities is by assigning action plans with deadlines to responsible personnel.”

These extracts support that accountability for system-level controls and remediation belongs with the owner of the affected system. Therefore, the person who should own and drive mitigation of noncompliant platforms is thesystem owner.