CISSP Question #833: Real Exam Question with Answer & Explanation

Question

A network scan found 50% of the systems with one or more critical vulnerabilities. Which of the following represents the BEST action?

Options

• AAssess vulnerability risk and program effectiveness.
• BAssess vulnerability risk and business impact.
• CDisconnect all systems with critical vulnerabilities.
• DDisconnect systems with the most number of vulnerabilities.

Explanation

Explanation

When 50% of systems have critical vulnerabilities, the best immediate action is to assess both the vulnerability risk and the business impact, because security decisions must be balanced against operational needs - not all critical vulnerabilities carry equal risk to the organization's mission-critical functions. Option B is correct because it enables a risk-based prioritization strategy, allowing teams to address the most damaging vulnerabilities first while keeping essential business operations running.

Why the distractors are wrong:

• Option A is close but incomplete - evaluating "program effectiveness" is a longer-term governance concern, not the immediate priority when systems are actively vulnerable.
• Option C is too extreme and impractical - disconnecting half your environment would likely cause more business disruption than the vulnerabilities themselves.
• Option D is flawed because the number of vulnerabilities is less important than their severity and business context; one critical vulnerability on a payment server outweighs ten on a test machine.

💡 Memory Tip: Think "Risk + Impact = Response" - in security, you never act on technical findings alone without considering the business consequence. If an answer pairs vulnerability risk with business impact, it's almost always the right choice on a risk management question.

No community discussion yet for this question.