how to simplify: Control 1: SI-2 - Flaw Remediation a. SI-2 mandates that organizations identify, report, and correct system flaws promptly. It includes testing updates and installing patches within organization-defined timelines. b. In the Equifax breach, the vulnerability (CVE-2017-5638) in Apache Struts was publicly disclosed and a patch was issued in March 2017. However, Equifax did not apply the patch, leaving the system exposed for months. c. If SI-2 had been properly implemented, the Apache Struts patch would have been identified as high-priority, tested, and deployed promptlylikely closing the primary attack vector and preventing the breach entirely. Control 2: SI-4 - System Monitoring a. SI-4 requires continuous monitoring of systems and networks to detect unauthorized activity. It includes using intrusion detection systems (IDS), reviewing audit logs, and ensuring visibility into internal and external traffic. b. Equifax's monitoring capabilities were hindered due to an expired digital certificate, which rendered their traffic inspection tools ineffective. As a result, attackers were able to run thousands of database queries undetected. c. With an active and properly configured SI-4 implementation, Equifax's systems would have detected the abnormal activity and raised alerts much earlier. Real-time monitoring and automated alerting could have significantly shortened the breach duration or triggered an immediate investigation