nerdexam
(ISC)2

CISSP · Question #1213

A scan report returned multiple vulnerabilities affecting several production servers that are mission critical. Attempts to apply the patches in the development environment have caused the servers to

The correct answer is C. Mitigate the risks with compensating controls.. When patching causes instability in mission-critical systems, compensating controls provide risk mitigation without disrupting production availability.

Submitted by yuki_2020· Mar 5, 2026Security Operations

Question

A scan report returned multiple vulnerabilities affecting several production servers that are mission critical. Attempts to apply the patches in the development environment have caused the servers to crash. What is the BEST course of action?

Options

  • AUpgrade the software affected by the vulnerability.
  • BInform management of possible risks.
  • CMitigate the risks with compensating controls.
  • DRemove the affected software from the servers.

How the community answered

(33 responses)
  • A
    3% (1)
  • B
    18% (6)
  • C
    70% (23)
  • D
    9% (3)

Why each option

When patching causes instability in mission-critical systems, compensating controls provide risk mitigation without disrupting production availability.

AUpgrade the software affected by the vulnerability.

Upgrading the affected software is effectively the same as patching and has already been demonstrated to crash the servers in the development environment, making this option unsafe for production.

BInform management of possible risks.

While informing management of risks is a good practice and may be part of the process, it is not an actionable remediation step and does not reduce the actual vulnerability exposure on the servers.

CMitigate the risks with compensating controls.Correct

Compensating controls are alternative security measures implemented when the primary remediation (patching) is not feasible without causing harm, such as server crashes in mission-critical environments. These controls - such as network segmentation, WAF rules, IDS/IPS signatures, or enhanced monitoring - reduce the attack surface and likelihood of exploitation without requiring the destabilizing patch. This approach balances operational continuity with acceptable risk reduction until a safe patch path is identified.

DRemove the affected software from the servers.

Removing the affected software from mission-critical production servers would likely cause significant business disruption or outages, making it an impractical and disproportionate response to the vulnerability.

Concept tested: Compensating controls for unmitigable vulnerabilities

Source: https://www.nist.gov/cyberframework

Topics

#Vulnerability management#Patch management#Compensating controls#Risk mitigation

Community Discussion

No community discussion yet for this question.

Full CISSP Practice