A vendor releases a security patch that closes a critical vulnerability in a line-of-business application. Internal testing shows that installing the patch reduces the performance of a module that end-users rely on for day-to-day work. What should a Cybersecurity Analyst recommend to manage the risk without causing unacceptable business disruption?
Postpone the patch installation until credible reports of active exploitation appear.
Continue normal operations without patching, formally accepting the risk.
Deploy well-documented compensating controls around the application until the vendor releases an optimized patch.
Install the patch immediately because security must take precedence over performance.
When the preferred control (patching) cannot be applied because it would degrade critical functionality, the analyst should implement compensating controls-temporary safeguards such as strict network segmentation, additional monitoring, or virtual patching-to provide equivalent protection until the vendor supplies a performance-neutral update. Delaying the patch or accepting the risk leaves the system exposed, and applying the problematic patch immediately would harm operations.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are compensating controls?
Open an interactive chat with Bash
Why is simply deferring the patch not a good option?
Open an interactive chat with Bash
What should one keep in mind when creating compensating controls?