Risk Actions for Medical Device with End-of-Life Operating System
Question
A security analyst is providing a risk assessment for a medical device that will be installed on the corporate network.
During the assessment, the analyst discovers the device has an embedded operating system that will be at the end of its life in two years.
Due to the criticality of the device, the security committee makes a risk-based policy decision to review and enforce the vendor upgrade before the end of life is reached.
Which of the following risk actions has the security committee taken?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.D.
The security committee has taken the risk action of "Risk Mitigation" by enforcing the vendor upgrade before the end of life is reached.
Here's a breakdown of the other answer choices and why they are not correct:
A. Risk exception: This is a risk response where the risk is acknowledged, but no action is taken to mitigate it. This answer choice is incorrect because the security committee has decided to take action to mitigate the risk of the end-of-life operating system.
B. Risk avoidance: This is a risk response where the organization chooses not to engage in an activity or use a particular asset to eliminate the risk altogether. This answer choice is incorrect because the organization still needs to use the medical device for critical functions.
C. Risk tolerance: This is a risk response where the organization accepts the risk and chooses to manage it without taking any specific action to mitigate it. This answer choice is incorrect because the security committee has decided to take action to mitigate the risk of the end-of-life operating system.
D. Risk acceptance: This is a risk response where the organization acknowledges the risk and chooses to live with it, without taking any specific action to mitigate it. This answer choice is incorrect because the security committee has decided to take action to mitigate the risk of the end-of-life operating system.
Therefore, the security committee has taken the risk action of "Risk Mitigation" by enforcing the vendor upgrade before the end of life is reached.
