The correct answer is D because the remediation was successful technically, but it occurred during five business hours for a sales application. That means the company likely lost sales revenue because the application was unavailable or degraded during a business-critical period. The issue was not the patch itself; the issue was poor change scheduling and communication.
Exact supporting extract: the CySA+ All-in-One guide defines a maintenance window as “a scheduled time the system is taken offline or out of use so that patches or configuration changes can be made.” It also explains that emergency maintenance may require informing users that the resource is being taken offline, how long maintenance will take, and whether resource access will be affected.
The Sybex CySA+ Study Guide also supports this answer: “Changes have the potential to be disruptive to an organization,” so the timing of changes must be “carefully coordinated.” It adds that maintenance windows normally occur during evenings, weekends, or other periods when business activity is low.
The official CompTIA CS0-003 objectives place this under vulnerability management reporting and communication because they include action plans, patching, inhibitors to remediation, business process interruption, degrading functionality, and stakeholder identification and communication.
Why the other options are incorrect:
A is incorrect because this financial loss is not simply a normal unavoidable IT cost. It was caused by poor scheduling or communication around a business-critical sales application.
B is incorrect because the issue is not specifically that the CIO failed to notify the board. The scenario says the change advisory board informed leadership after the loss.
C is incorrect because a penetration test is not required before every patch or remediation activity. The issue was not whether the vulnerability existed; it was the business impact of the remediation timing.
D is correct because a properly planned and communicated maintenance window should reduce business impact by scheduling the work when the application is not heavily used.
