CISSP · Question #1213
A scan report returned multiple vulnerabilities affecting several production servers that are mission critical. Attempts to apply the patches in the development environment have caused the servers to
The correct answer is C. Mitigate the risks with compensating controls.. When patching causes instability in mission-critical systems, compensating controls provide risk mitigation without disrupting production availability.
Question
Options
- AUpgrade the software affected by the vulnerability.
- BInform management of possible risks.
- CMitigate the risks with compensating controls.
- DRemove the affected software from the servers.
How the community answered
(33 responses)- A3% (1)
- B18% (6)
- C70% (23)
- D9% (3)
Why each option
When patching causes instability in mission-critical systems, compensating controls provide risk mitigation without disrupting production availability.
Upgrading the affected software is effectively the same as patching and has already been demonstrated to crash the servers in the development environment, making this option unsafe for production.
While informing management of risks is a good practice and may be part of the process, it is not an actionable remediation step and does not reduce the actual vulnerability exposure on the servers.
Compensating controls are alternative security measures implemented when the primary remediation (patching) is not feasible without causing harm, such as server crashes in mission-critical environments. These controls - such as network segmentation, WAF rules, IDS/IPS signatures, or enhanced monitoring - reduce the attack surface and likelihood of exploitation without requiring the destabilizing patch. This approach balances operational continuity with acceptable risk reduction until a safe patch path is identified.
Removing the affected software from mission-critical production servers would likely cause significant business disruption or outages, making it an impractical and disproportionate response to the vulnerability.
Concept tested: Compensating controls for unmitigable vulnerabilities
Source: https://www.nist.gov/cyberframework
Topics
Community Discussion
No community discussion yet for this question.