Certified Information Systems Security Professional (CISSP) — Question 213

A vendor released a security patch for a dangerous vulnerability affecting thousands of computers in an organization. Which of the following actions will the security practitioner do FIRST to mitigate the security risk?

Answer options

• A. Deploy the patch.
• B. Accept the risk.
• C. Transfer the risk.
• D. Evaluate the patch.

Correct answer: D

Explanation

The correct answer is D because evaluating the patch allows the security practitioner to assess its effectiveness and potential impact before implementation. Deploying the patch without evaluation could introduce new issues, while accepting or transferring the risk does not address the vulnerability directly.