A security analyst is providing a risk assessment for a medical device that will be installed on the corporate network. During the assessment, the analyst discovers the device has an embedded operating system that will be at the end of its life in two years. Due to the criticality of the device, the security committee makes a risk-based policy decision to review and enforce the vendor upgrade before the end of life is reached.
Which of the following risk actions has the security committee taken?
A. Risk exception
B. Risk avoidance
C. Risk tolerance
D. Risk acceptance
CS0-002: CompTIA CySA+ ExamFULL Printable PDF and Software. VALID exam to help you PASS. |
This is Risk Acceptance. The device is being installed as is with soon to expire OS. The analyst is doing his due diligence to make sure the vendor will upgrade before the OS EOL is reached, but only after the OS is upgraded will it be risk avoidance
Its getting upgraded before EOL, I would think this is a Risk Avoidance.