CISSP Question #261: Real Exam Question with Answer & Explanation

Question

How should an organization determine the priority of its remediation efforts after a vulnerability assessment has been conducted?

Options

• AUse an impact-based approach.
• BUse a risk-based approach.
• CUse a criticality-based approach.
• DUse a threat-based approach.

Explanation

After a vulnerability assessment, organizations should prioritize remediation using a risk-based approach that balances the likelihood of exploitation against the potential business impact of each vulnerability.

Common mistakes.

• A. An impact-based approach only considers the severity of consequences if a vulnerability is exploited but ignores the probability or likelihood of exploitation, leading to potential misallocation of resources on high-impact but low-probability vulnerabilities.
• C. A criticality-based approach focuses solely on the importance of the affected asset or system, neglecting whether a vulnerability is actually exploitable or actively targeted by threat actors, which can skew prioritization.
• D. A threat-based approach focuses primarily on known threat actors or active threats without fully accounting for the business impact or asset value, resulting in an incomplete prioritization framework compared to the holistic nature of risk-based analysis.

Concept tested. Vulnerability remediation prioritization using risk-based approach

Reference. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf

No community discussion yet for this question.