During the monthly vulnerability-management cycle, a Nessus scan produces more than 3 000 findings that span development workstations, a non-production lab, and a cluster of databases that store sensitive financial records. The CISO asks the security operations center to decide which issues must be fixed before the next maintenance window so limited patching resources provide the greatest risk reduction. Which strategy will BEST enable the analysts to determine the order in which vulnerabilities should be remediated?
Applying the asset value and the potential impact to confidentiality, integrity, and availability (CIA) to prioritize which vulnerabilities to address first
Prioritizing based on the ease of implementation of the available patches
Following the recommendations from the proprietary algorithm of the vulnerability scanning tool
Always addressing the vulnerabilities related to regulatory requirements before any other issues
Risk-based prioritization starts by asking two questions: How valuable is the affected asset to the business, and what would successful exploitation do to its confidentiality, integrity, and availability (the CIA triad)? Combining asset criticality ratings with the CIA impact of each vulnerability focuses remediation on weaknesses that could cause the most damage to high-value systems. Proprietary scanner algorithms, patch-effort estimates, or blanket compliance rules can inform scheduling, but on their own they do not reliably show which vulnerabilities introduce the greatest business risk.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the CIA triad?
Open an interactive chat with Bash
How do you determine the value of an asset in risk management?
Open an interactive chat with Bash
Why is relying solely on the proprietary algorithm of a vulnerability scanner not enough?