Exam CISSP topic 1 question 270 discussion

"Development environment have caused the servers to crash" meaning that we need to inform MT first, because this is a critical item and plan what to do next. so, D then A

A is like = act first, apologize later; and D is something with a non-decision making position would do, such as an Analyst. So, for example, multiple vulnerabilities; Log4j, Meltdown, and Spectre... Does the CISSP exam assume that you are a Security Manager or a System Custodian making all these decisions and acting upon them?

D is correct

Correct answer is A. Taking multiple practice tests. This type of question in particular favors taking action versus just communicating to upper management. immediate action is to be taken in this case. So A to mitigate risk FIRST to protect the business FIRST, THEN tell MGMT.

Think like a manager, not a technical guy. so it is D

While informing management is crucial, it should be accompanied by immediate action to mitigate the risks. Simply informing them without taking any steps leaves the production servers vulnerable.

D. Informing the manager about risks then have the system owner, information owner , decide on the next steps. It could be mitigating risks using compensating controls (eg. isolating vulnerable servers, removing sensitive data) or it could be removing the affected software.

The answer is A... not D The servers crashing can be considered an incident. While reporting to management is important.. In the incident response phases, mitigation happens before reporting.

It the patch cannot be used, then workarounds is the next option

Answer A) Compensating Controls do not mean that they are not as-good as original intention and should have been already approved in Change Management, so the manager ought to already know what is at stake if you do not apply the Compensating Control. https://sprinto.com/blog/pci-dss-compensating-controls/

The answer is A The best course of action when critical production servers are affected by vulnerabilities but patching crashes them is to mitigate the risks with compensating controls, option A. Since patches are not currently feasible without causing outages, alternative controls should be implemented to reduce the risks until either the vendors resolve the issues or the software can be upgraded/removed. Compensating controls provide protection for known vulnerabilities by layering additional safeguards like enhanced monitoring, restricted access, virtual patching, etc. This balances security and availability. Simply informing management does not directly address the technical risks. Upgrading or removing software needs more planning when stability is impacted. Therefore, mitigating the vulnerabilities through tactical compensating controls is the most prudent short-term approach until long-term systematic fixes can be implemented safely.

D; notify management. A "compensating control" isn't going to help with multiple vulnerabilities, you can't compensate for that. "A compensating control, also called an alternative control, is a mechanism that is put in place to satisfy the requirement for a security measure that is deemed too difficult or impractical to implement at the present time." https://www.techtarget.com/whatis/definition/compensating-control#:~:text=A%20compensating%20control%2C%20also%20called,implement%20at%20the%20present%20time. What kept being stressed in my CISSP class is that you are not fixing anything, you are advising and working closely with management. So we have a real problem here, management needs to decide what to do.

A includes D. As we will be implementing compensating controls through a proper change management process which gives management info/awareness/chance to review.

In situations where attempts to patch critical production servers have caused crashes or other issues, it is important to find alternative methods for mitigating the risks associated with the vulnerabilities. The best course of action would be to implement compensating controls to reduce the likelihood or impact of a successful exploit. Compensating controls are additional security measures that can be implemented to help reduce the risk to the organization. These can include network segmentation, access controls, network firewalls, intrusion detection systems and end-point protection, depending on the specific vulnerabilities and risks.

The best course of action in this situation would be to mitigate the risks with compensating controls (option A). Compensating controls are alternative measures that can be implemented to mitigate risks when it is not possible or practical to address the underlying vulnerabilities directly. If applying patches to the affected servers has caused them to crash in the development environment, it is likely that applying the patches in the production environment would have the same result, which could have serious consequences for the organization's mission-critical operations. In this case, implementing compensating controls such as network segmentation, access controls, and monitoring could help to reduce the risk of attacks exploiting the vulnerabilities until a more permanent solution can be found.

Management in this case will be either CIO or CSO. What if they don't accept the approach of compensating control?

If we 'think like a manger' we are doing A because we ARE the management. Otherwise we should do D (Application of mitigating controls should be done to bring risk within risk appetite. Management set risk appetite).