Weekly CISSP Exam Questions
Question: Your organization faces a situation where an important system cannot be patched due to operational constraints. A business-critical application relies on an old version of software that no longer receives security updates. How should you justify and manage this exception, considering both technical and business risks?
A. Apply compensating controls and document the exception with clear time-bound remediation plans and risk mitigation measures.
B. Notify stakeholders that the vulnerability will be ignored due to business impact and delay the patch indefinitely.
C. Ignore the issue temporarily and proceed with regular scans until the next major system upgrade.
D. Remove the affected system from the network to reduce the exposure.
Answer: A
Explanation:
The best practice is to manage exceptions by applying compensating controls (such as network segmentation, intrusion detection systems) and ensuring documentation of the risk, exception, and remediation timeline. Simply ignoring the vulnerability or removing the system without a clear plan is not responsible risk management.
Podcasts
Check out my weekly podcasts that delve deep into the relevant topics related to each of CISSP domains. In addition, I will go over specific questions and they can be interpreted and answered.
CISSP Cyber Training Academy
Tired of not knowing how to study for the CISSP Exam?
Check out the CISSP Cyber Training Academy to help you on your journey!
CISSP Cyber Training - YouTube
Check out my video collection on YouTube discussing all the details needed to help you pass the CISSP exam.
