Your organization has identified a security vulnerability in an internally developed application. After performing a risk assessment, it is determined that the cost of remediation exceeds the potential impact of the vulnerability being exploited. Additionally, there is no immediate threat or known exploit for this vulnerability. What is the MOST appropriate risk management response in this scenario?
Formally accept the risk and monitor for changes in the threat landscape.
Transfer the risk by outsourcing the application component to a third-party vendor.
Patch the vulnerability immediately regardless of the remediation costs.
Schedule the patch to be included in the next release cycle without additional review.
Accepting a risk is considered appropriate when the cost of mitigation exceeds the potential impact and no immediate threat exists. This approach is part of risk management principles where an organization acknowledges the presence of the risk but decides that the cost of taking action is not justifiable. Patching it within the next release cycle might not address the immediate risk acceptance decision and could incur unnecessary costs. Transferring the risk would not apply here, as this pertains to an internal application. Avoiding the risk would imply eliminating it altogether, which is not financially justifiable in this context.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does it mean to formally accept a risk?
Open an interactive chat with Bash
What are risk management principles?
Open an interactive chat with Bash
Why might transferring the risk not be applicable for an internal application?