A cybersecurity analyst is preparing a vulnerability management report and identifies a high-risk vulnerability on a system that is tightly governed by the organization's change management policies. The policy requires a two-week review period for any system changes, but the vendor has rated the vulnerability as 'critical' with a high likelihood of exploitation. In light of the existing organizational governance, which course of action should the analyst recommend in the vulnerability management report to address the risk adequately?
Advise immediate patch deployment to override the two-week review policy due to the vendor's critical rating.
Suggest waiting for the two-week review period before any action, adhering to the strict change management policy.
Recommend implementing compensating controls and initiating an expedited review process for the patch deployment.
Propose the creation of an exception in the governance policy for all vendor-rated critical vulnerabilities going forward.
The correct answer is 'Recommend implementing compensating controls and initiating an expedited review process.' This approach acknowledges the constraints of the organizational policy while suggesting a risk mitigation strategy that doesn't breach governance. Compensating controls would temporarily mitigate the risk until the critical patch can be reviewed and deployed, and seeking expedited review aligns with the urgency of the vulnerability without contravening policy. The incorrect answers fail to properly balance the need for swift action with the prescribed governance procedures, potentially leading to either security risks or policy violations.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are compensating controls in cybersecurity?
Open an interactive chat with Bash
What is a change management policy?
Open an interactive chat with Bash
Why is an expedited review process important for critical vulnerabilities?