Question

An organization requires secure configuration baselines for all platforms and technologies that are used. If any system cannot conform to the secure baseline, the organization must process a risk acceptance and receive approval before the system is placed into production. It may have non-conforming systems in its lower environments (development and staging) without risk acceptance, but must receive risk approval before the system is placed in production. Weekly scan reports identify systems that do not conform to any secure baseline. The application team receives a report with the following results:

Host Environment Baseline deviation ID(criticality)
NYAccountingDev Development
NYAccountingStg Staging
NYAccounting Prod Production 2633 (low), 3124 (high)
There are currently no risk acceptances for baseline deviations. This is a mission-critical application, and the organization cannot operate if the application is not running. The application fully functions in the development and staging environments. Which of the following actions should the application team take?
A. Remediate 2633 and 3124 immediately.
B. Process a risk acceptance for 2633 and 3124.
C. Process a risk acceptance for 2633 and remediate 3124.
D. Shut down NYAccounting Prod and investigate the reason for the different scan results.

Answer 1

C. Process a risk acceptance for 2633 and remediate 3124.

Step-by-step explanation:

There are various business risks. Some are inherited risks while other are risks are associated with nature of business. It is dependent on business owners that they want to accept risk or mitigate the risk. Risk acceptance is based on the strategy of the management. In the given scenario Accounting Prod Production has low risk 2633 which is accepted while 3124 is high risk which is remediated.