Domain 7 of 8 · Chapter 8 of 15

Patch & Vulnerability Management

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Certified Information Systems Security Professional premium course — no separate purchase.

Included in this chapter:

  • Vulnerability and patch management as preventive maintenance
  • The vulnerability management cycle and the patch lifecycle
  • Prioritization: CVSS, exploitability, and asset criticality

Four risk responses to a software vulnerability (NIST SP 800-40 Rev. 4)

DimensionAcceptMitigateTransferAvoid
What you doLive with the risk, relying on existing controls or judging impact low enoughReduce the risk: patch/upgrade, disable the feature, or isolate via firewall/segmentationShare consequences: cyber insurance, or shift to SaaS where the provider patchesEliminate the attack surface: uninstall, decommission, or disable the capability
Eliminates the flaw?No. Risk remainsPatch/upgrade fully eliminates it without losing function; other mitigations only reduce itNo. Risk moves to another partyYes, by removing the vulnerable software entirely (and its function)
Typical triggerLow-impact flaw, or strong compensating controls already presentThe default response when a fix exists and the asset can take itRisk is better borne by a third party or a managed providerSoftware is unneeded, or no fix will ever come (end-of-life)
Main cost / caveatResidual risk is owned and must be tracked, not forgottenPatch may break interacting software; needs testing, a window, and a back-outInsurance has limits/exclusions; SaaS shifts but does not erase accountabilityLoss of the capability or the asset's business value

Decision tree

Impact low enough withexisting controls?YesAccept the risktrack residual riskNo — treat itPatch available and theasset can take it?YesMitigate: patch or upgradephased deployment to canary assets first;keep a back-out planNo patch yetCan it ever be patched(not end-of-life / vendor-locked)?Yes — fix is comingApply a temporary mitigationisolate / segment the asset until thepatch ships, then patch and remove itNo — unpatchableLong-term compensating controlsisolation, segmentation, tightenedmonitoring; reassess periodicallyAlways: route the change through change control;prioritize by exploitability and asset criticality, not CVSS alone

Cheat sheet

  • Treat patching as preventive maintenance, not firefighting
  • A vulnerability is a risk with four responses: accept, mitigate, transfer, avoid
  • Only a patch or upgrade removes the flaw without removing function
  • When patching can't run now, choose another response on purpose
  • An accurate, continuously-updated asset inventory is the foundation
  • Prioritize patching per asset, using business context, not per software version
  • Know the CVSS severity bands
  • Active exploitation is the sharpest prioritization signal; use the CISA KEV catalog
  • Test before broad rollout via phased deployment to canary assets
  • Every deployment needs a back-out plan
  • Validate a patch's authenticity and integrity before installing it
  • Routine patches reach production through change management
  • Emergency patching is expedited but still validated and documented
  • Verify and monitor: deployed is not the same as fixed
  • Unpatchable assets get compensating controls, not a pass
  • Plan responses in advance so a new flaw triggers a pre-approved play
  • Reduce how much you have to patch by shrinking the attack surface
  • Patch metrics must be actionable, weighing vulnerability and asset importance
  • CVSS has Base, Temporal, and Environmental groups. Use Environmental to localize severity to your context
  • Deferring or accepting a vulnerability needs a formal, time-bound risk acceptance signed by the accountable owner

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. NIST SP 800-40 Revision 4, Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology Whitepaper
  2. NIST NVD: Vulnerability Metrics (CVSS)
  3. FIRST: Common Vulnerability Scoring System (CVSS)
  4. CISA: Known Exploited Vulnerabilities (KEV) Catalog
  5. CISA Binding Operational Directive 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities Whitepaper