The statement is incorrect. While ideally, all vulnerabilities would be patched or remediated as soon as they are discovered, there are scenarios where this is not feasible due to operational requirements, compatibility issues, or the risk being acceptable compared to the business impact of immediate remediation. In such cases, exceptions (a temporary non-compliance with a security policy) or exemptions (a permanent release from the compliance requirement) can be granted with proper risk assessment and management approval. Additional security controls may be put in place to mitigate the risks associated with the vulnerability until it can be addressed.
Learn More
AI Generated Content may display inaccurate information, always double-check anything important.
What are exceptions and exemptions in the context of vulnerability management?
Why is it necessary to conduct a risk assessment when granting exceptions or exemptions?
What additional security controls can be implemented while waiting to remediate vulnerabilities?