A cybersecurity analyst is reviewing the vulnerabilities associated with an older, mission-critical application. The application cannot be updated or patched without significant downtime, which would impact business operations. After evaluating the application's vulnerabilities, it is determined that they are not actively being exploited in the wild and the potential impact is low. The environment is heavily monitored with numerous compensating controls in place to detect any malicious activity. Which course of action is most appropriate for the cybersecurity analyst to recommend in this scenario?
You selected this option
Recommend mitigating the risk immediately by taking the application offline for patching.
You selected this option
Recommend transferring the risk to a third-party vendor specializing in legacy application security.
You selected this option
Recommend accepting the risk and continue monitoring for any changes in threat exposure.
You selected this option
Recommend avoiding the risk by ceasing the use of the application and seeking an alternative solution.
Accepting the risk is the most appropriate action in this scenario because the immediate remedial action, such as updating or patching, would lead to significant operational downtime impacting the business. Since the vulnerabilities are not being actively exploited, the impact is low, and there are strong monitoring and compensating controls in place, the risk can be acknowledged and accepted until a more suitable solution is found that minimizes business disruption. On the other hand, transferring the risk would involve shifting the risk to another party, which is not relevant in the context of managing software vulnerabilities internal to an organization. Mitigating the risk by taking action to decrease its occurrence is not the recommended option in this scenario, as it implies attempting to patch or update the application, which is not presently viable due to operational constraints. Avoiding the risk by eliminating it completely would typically require discontinuing use of the vulnerable application, which is not suitable for a mission-critical application.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are compensating controls in cybersecurity?
Open an interactive chat with Bash
What does it mean to accept risk in cybersecurity?
Open an interactive chat with Bash
Why might an organization choose to keep a legacy application in use despite vulnerabilities?