Configuration management is the correct answer because it involves the process of systematically handling changes to a system in such a way that the system maintains integrity over time, including the documentation and tracking of all the changes made. It ensures that if vulnerabilities are found, they can be traced back to specific changes, facilitating easier mitigation. Patching is a response to the identification of vulnerabilities and not a record-keeping process; compensating controls are security measures taken to offset the risk of an existing vulnerability but do not involve change documentation; and awareness, education, and training relate to the human factor and do not specifically track changes to IT infrastructure.