Patch & Vulnerability Management
Unlock the complete study guide + 1,040 practice questions across 16 full exams.
Bundled into the existing Certified Information Systems Security Professional premium course — no separate purchase.
Included in this chapter:
- Vulnerability and patch management as preventive maintenance
- The vulnerability management cycle and the patch lifecycle
- Prioritization: CVSS, exploitability, and asset criticality
Four risk responses to a software vulnerability (NIST SP 800-40 Rev. 4)
| Dimension | Accept | Mitigate | Transfer | Avoid |
|---|---|---|---|---|
| What you do | Live with the risk, relying on existing controls or judging impact low enough | Reduce the risk: patch/upgrade, disable the feature, or isolate via firewall/segmentation | Share consequences: cyber insurance, or shift to SaaS where the provider patches | Eliminate the attack surface: uninstall, decommission, or disable the capability |
| Eliminates the flaw? | No. Risk remains | Patch/upgrade fully eliminates it without losing function; other mitigations only reduce it | No. Risk moves to another party | Yes, by removing the vulnerable software entirely (and its function) |
| Typical trigger | Low-impact flaw, or strong compensating controls already present | The default response when a fix exists and the asset can take it | Risk is better borne by a third party or a managed provider | Software is unneeded, or no fix will ever come (end-of-life) |
| Main cost / caveat | Residual risk is owned and must be tracked, not forgotten | Patch may break interacting software; needs testing, a window, and a back-out | Insurance has limits/exclusions; SaaS shifts but does not erase accountability | Loss of the capability or the asset's business value |
Decision tree
Cheat sheet
Unlock with Premium — includes all practice exams and the complete study guide.
Also tested in
References
- NIST SP 800-40 Revision 4, Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology Whitepaper
- NIST NVD: Vulnerability Metrics (CVSS)
- FIRST: Common Vulnerability Scoring System (CVSS)
- CISA: Known Exploited Vulnerabilities (KEV) Catalog
- CISA Binding Operational Directive 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities Whitepaper