Which statement about using standardized vulnerability severity scores (for example, the CVSS Base score) to determine patch-remediation priority is MOST accurate for an organization?
The score is a useful starting point, but asset criticality, exploit likelihood, and business impact must also be assessed before setting priorities.
The score can be ignored entirely; patch priority should be based only on how recently the vendor released the patch.
Relying only on the standardized numerical score is sufficient; patches should be applied strictly in descending score order.
Combining the score with an up-to-date asset inventory is always enough; additional threat-intelligence data is unnecessary.
Numerical severity scores provide a useful starting point, but they do not capture organization-specific factors such as asset criticality, exploit likelihood in the given environment, compensating controls, and overall business impact. The CVSS specification recommends that consumers supplement the Base score with Temporal and Environmental metrics and with additional risk data to arrive at a context-aware priority. Therefore, relying on the score alone is insufficient; broader organizational context must be considered when setting remediation priorities.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are standardized frameworks for evaluating security vulnerabilities?
Open an interactive chat with Bash
Why is organizational context important in assessing security vulnerabilities?
Open an interactive chat with Bash
What are some potential impacts of prioritizing updates based solely on numerical vulnerability scores?