Certified in Risk and Information Systems Control (CRISC) — Question 1161

A risk practitioner identifies several servers that have not been updated with patches in over a year because the operating systems are no longer supported. Given these servers still run mission-critical applications, which of the following should be done FIRST?

Answer options

• A. Accept the risk for the legacy servers.
• B. Upgrade the operating systems to a supported version.
• C. Inform key stakeholders about the increased risk.
• D. Advise the cyber team to isolate the servers.

Correct answer: C

Explanation

The correct answer is C because informing key stakeholders about the heightened risk is essential for making informed decisions on how to handle the situation. Accepting the risk (A) does not address the issue, upgrading the operating systems (B) may take time and resources, and isolating the servers (D) could disrupt operations without first communicating the risks involved.