A security assessment team, during a review of a critical manufacturing control system, identified several high-risk vulnerabilities. The system cannot be immediately patched due to strict operational constraints that prohibit downtime. As the security lead, when documenting these findings for management in the final report, what is the BEST approach to handling these documented exceptions?
Document the vulnerabilities with compensating controls and a risk acceptance timeframe
Mark the vulnerabilities as false positives to clear them from the report
Document the vulnerabilities and outline interim measures since they are not fixed currently
Recommend scheduling a system shutdown once patches can be applied
The correct answer is to document the vulnerabilities with compensating controls and a risk acceptance timeframe. This approach represents proper exception handling in security reporting because it acknowledges the vulnerabilities while providing a structured way to manage the associated risks.
When vulnerabilities cannot be remediated promptly (especially in critical systems like manufacturing where downtime has significant business impact), proper exception handling requires:
Formal documentation of the vulnerability
Implementation of compensating controls to mitigate risk in the interim
A defined timeframe for when the risk acceptance expires and must be reassessed
Management approval of the exception
Simply ignoring the vulnerabilities would violate security principles. Scheduling a system shutdown would cause business disruption and is rarely the proportionate response. Just documenting without compensating controls would leave the system exposed without any risk mitigation.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are compensating controls in cybersecurity?
Open an interactive chat with Bash
Why is a risk acceptance timeframe important?
Open an interactive chat with Bash
Why is management approval necessary for risk exceptions?
Open an interactive chat with Bash
ISC2 CISSP
Security Assessment and Testing
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .