A security assessment of a critical manufacturing system identified several high-risk vulnerabilities that cannot be patched due to operational constraints. When documenting these findings in the final report, what is the BEST approach to handling these exceptions?
Document the vulnerabilities and outline interim measures since they are not fixed currently
Mark the vulnerabilities as false positives to clear them from the report
Recommend scheduling a system shutdown once patches can be applied
Document the vulnerabilities with compensating controls and a risk acceptance timeframe
The correct answer is to document the vulnerabilities with compensating controls and a risk acceptance timeframe. This approach represents proper exception handling in security reporting because it acknowledges the vulnerabilities while providing a structured way to manage the associated risks.
When vulnerabilities cannot be remediated promptly (especially in critical systems like manufacturing where downtime has significant business impact), proper exception handling requires:
Formal documentation of the vulnerability
Implementation of compensating controls to mitigate risk in the interim
A defined timeframe for when the risk acceptance expires and must be reassessed
Management approval of the exception
Simply ignoring the vulnerabilities would violate security principles. Scheduling a system shutdown would cause business disruption and is rarely the proportionate response. Just documenting without compensating controls would leave the system exposed without any risk mitigation.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are compensating controls in security assessments?
Open an interactive chat with Bash
What is a risk acceptance timeframe?
Open an interactive chat with Bash
Why is simply marking vulnerabilities as false positives a bad approach?
Open an interactive chat with Bash
ISC2 CISSP
Security Assessment and Testing
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access