CompTIA CASP+ (CAS-003) — Question 97

A company relies on an ICS to perform equipment monitoring functions that are federally mandated for operation of the facility. Fines for non-compliance could be costly. The ICS has known vulnerabilities and can no longer be patched or updated. Cyber-liability insurance cannot be obtained because insurance companies will not insure this equipment.
Which of the following would be the BEST option to manage this risk to the company's production environment?

Answer options

• A. Avoid the risk by removing the ICS from production
• B. Transfer the risk associated with the ICS vulnerabilities
• C. Mitigate the risk by restricting access to the ICS
• D. Accept the risk and upgrade the ICS when possible

Correct answer: B

Explanation

The best option to manage the risk is to transfer it, as indicated in answer B. This approach allows the company to shift the financial burden of potential fines or incidents related to the ICS vulnerabilities to another party. Options A and C do not address the ongoing legal requirements for the ICS, while option D delays necessary action and does not mitigate the immediate risk.