During a routine vulnerability assessment, it is discovered that a financial application critical to year-end reporting contains a vulnerability that, if exploited, could compromise sensitive financial data. The patch for this vulnerability would necessitate multiple service interruptions over a week. With year-end financial processes pending, which recommendation should the cybersecurity analyst prioritize in the action plan to ensure the least disruption while maintaining security?
Implement compensating controls and defer patching until after the year-end processing, minimizing disruption to business operations.
Increase logging and monitoring around the financial application but do not apply the patch or any compensating controls until an assessment post year-end is conducted.
Leave the system unpatched and accept the risk because year-end reporting is considered a higher priority.
Proceed with repatching during the year-end processing period due to the critical nature of the vulnerability.
The correct answer is to implement compensating controls and defer patching until after the year-end processing is complete. This option provides an immediate and additional layer of security to mitigate the risk temporarily without disrupting the critical financial processes due to service interruptions. Other choices do not offer the same balance between security needs and business continuity, as they either introduce significant risk (leaving the system unpatched), potentially cause unacceptable business interruptions (repatching during the year-end processing), or do not respond directly to the vulnerability (increasing logging and monitoring only).
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are compensating controls in cybersecurity?
Open an interactive chat with Bash
Why is it important to manage business continuity alongside security?
Open an interactive chat with Bash
What are some standard practices for conducting a vulnerability assessment?