Certified Information Security Manager (CISM) — Question 887

A business requires a legacy version of an application to operate, but the application cannot be patched. To limit the risk exposure to the business, a firewall is implemented in front of the legacy application. Which risk treatment option has been applied?

Answer options

• A. Accept
• B. Transfer
• C. Mitigate
• D. Avoid

Correct answer: C

Explanation

The correct answer is Mitigate because implementing a firewall reduces the potential impact of vulnerabilities in the legacy application. Accepting the risk would mean taking no action, transferring would involve shifting the risk to another party, and avoiding would mean discontinuing the use of the application altogether.