A company's security program includes a policy that all employees must use strong passwords and change them every 90 days. However, the recent internal audit shows that 60% of employees have passwords that do not meet the strength requirements. What is the most effective corrective action?
Technical enforcement (e.g., complexity rules) ensures compliance.
Why this answer
Option D is correct because automated enforcement ensures policy compliance without relying on user behavior change. Option A is wrong as training alone is insufficient. Option B is wrong because it reduces security and does not address the root cause.
Option C is wrong as audits detect but do not prevent non-compliance.