CISSP · Question #261
How should an organization determine the priority of its remediation efforts after a vulnerability assessment has been conducted?
The correct answer is B. Use a risk-based approach.. After a vulnerability assessment, organizations should prioritize remediation using a risk-based approach that balances the likelihood of exploitation against the potential business impact of each vulnerability.
Question
How should an organization determine the priority of its remediation efforts after a vulnerability assessment has been conducted?
Options
- AUse an impact-based approach.
- BUse a risk-based approach.
- CUse a criticality-based approach.
- DUse a threat-based approach.
How the community answered
(30 responses)- A3% (1)
- B90% (27)
- C7% (2)
Why each option
After a vulnerability assessment, organizations should prioritize remediation using a risk-based approach that balances the likelihood of exploitation against the potential business impact of each vulnerability.
An impact-based approach only considers the severity of consequences if a vulnerability is exploited but ignores the probability or likelihood of exploitation, leading to potential misallocation of resources on high-impact but low-probability vulnerabilities.
A risk-based approach combines both the likelihood of a threat exploiting a vulnerability and the potential impact to the organization, allowing security teams to allocate limited resources to vulnerabilities that pose the greatest overall danger. This approach accounts for asset value, threat intelligence, exploitability, and business context, making it the most comprehensive and widely accepted framework for prioritization. Standards such as NIST SP 800-30 and CVSS scoring systems support risk-based prioritization as the industry best practice.
A criticality-based approach focuses solely on the importance of the affected asset or system, neglecting whether a vulnerability is actually exploitable or actively targeted by threat actors, which can skew prioritization.
A threat-based approach focuses primarily on known threat actors or active threats without fully accounting for the business impact or asset value, resulting in an incomplete prioritization framework compared to the holistic nature of risk-based analysis.
Concept tested: Vulnerability remediation prioritization using risk-based approach
Source: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf
Topics
Community Discussion
No community discussion yet for this question.