As a Security Analyst for a large organization, you have identified a low severity vulnerability on a server hosting a non-essential marketing website. The server is isolated from the internal network and contains no sensitive data. The vulnerability does not have a known exploit and fixing it would require taking the server offline during a major marketing campaign. What is the MOST appropriate risk management action to take in this scenario?
You selected this option
Ignore the vulnerability since it has no known exploit and is not critical.
You selected this option
Immediately patch the vulnerability causing downtime during the marketing campaign.
You selected this option
Document the vulnerability and accept the risk until the campaign is over.
You selected this option
Decommission the server as no vulnerability should be left unaddressed.
The correct answer is 'Document the vulnerability and accept the risk until the campaign is over.' This allows the server to remain online supporting the marketing campaign while acknowledging the low severity of the vulnerability in this context. Since the vulnerability is on an isolated server with non-sensitive data and no known exploit, the risk is considered acceptable. The other options, such as immediate patching or decommissioning, are not aligned with business needs or are too severe given the low risk associated with the vulnerability.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.