CompTIA CASP+ (CAS-004) — Question 510

An application server has outdated protocols enabled and is in violation of the company's written security policy and standards. The outdated protocols are required for compatibility with client-owned systems. The client is unable to update systems at this time. The following compensating controls have been implemented to reduce the amount of risk created by the protocol use:

• A FIM agent has been installed and configured on the server.
• EDR has been protection deployed to the server.
• The server has been moved behind a next-generation firewall.

Which of the following should be done next?

Answer options

• A. Document the outdated protocol use and compensating controls as an exception to the security policy.
• B. Set a target date for the internal team to disable the outdated protocols that are in violation of the security policy.
• C. Revise the security policy to allow the use of outdated protocols when required for compatibility with client systems.
• D. Require the application owner to sign an agreement taking responsibility for the risk involved with using outdated protocols.

Correct answer: A

Explanation

The correct answer is A because documenting the outdated protocol use and compensating controls as an exception ensures that there is a formal record of the risk and the measures taken to mitigate it. Options B and D suggest taking action against the outdated protocols without acknowledging the current compensating controls, while option C would undermine the security policy's integrity by allowing known vulnerabilities.