diff --git a/src/sys/file.c b/src/sys/file.c
index bd79e4a6..a21941e0 100644
--- a/src/sys/file.c
+++ b/src/sys/file.c
@@ -105,8 +105,13 @@ VOID FspFileNodeDelete(FSP_FILE_NODE *FileNode)
 {
     PAGED_CODE();
 
+    FSP_FSVOL_DEVICE_EXTENSION *FsvolDeviceExtension =
+        FspFsvolDeviceExtension(FileNode->FsvolDeviceObject);
+
     FsRtlTeardownPerStreamContexts(&FileNode->Header);
 
+    FspMetaCacheInvalidateItem(FsvolDeviceExtension->SecurityCache, FileNode->Security);
+
     FspDeviceDereference(FileNode->FsvolDeviceObject);
 
     if (0 != FileNode->ExternalFileName)
@@ -499,6 +504,7 @@ VOID FspFileNodeSetSecurity(FSP_FILE_NODE *FileNode, PCVOID Buffer, ULONG Size)
     FspMetaCacheInvalidateItem(FsvolDeviceExtension->SecurityCache, FileNode->Security);
     FileNode->Security = 0 != Buffer ?
         FspMetaCacheAddItem(FsvolDeviceExtension->SecurityCache, Buffer, Size) : 0;
+    FileNode->SecurityChangeNumber++;
 }
 
 BOOLEAN FspFileNodeTrySetSecurity(FSP_FILE_NODE *FileNode, PCVOID Buffer, ULONG Size,
diff --git a/src/sys/security.c b/src/sys/security.c
index b465d1de..f05162d2 100644
--- a/src/sys/security.c
+++ b/src/sys/security.c
@@ -292,7 +292,7 @@ NTSTATUS FspFsvolSetSecurityComplete(
     /* if the security descriptor that we got back is valid */
     if (0 < Response->Rsp.SetSecurity.SecurityDescriptor.Size &&
         Response->Buffer + Response->Rsp.SetSecurity.SecurityDescriptor.Size <=
-        (PUINT8)Response + Response->Size &&
+            (PUINT8)Response + Response->Size &&
         RtlValidRelativeSecurityDescriptor((PVOID)Response->Buffer,
             Response->Rsp.SetSecurity.SecurityDescriptor.Size, 0))
     {