Exam SY0-601 topic 1 question 89 discussion

Accepting risk, or risk acceptance, occurs when a business or individual acknowledges that the potential loss from a risk is not great enough to warrant spending money to avoid it.

Per the CompTIA official study guide: "By definition, legacy platforms are unpatchable. Such systems are highly likely to be vulnerable to exploits and must be protected by security controls other than patching, such as isolating them to networks that an attacker cannot physically connect to." "Risk acceptance (or tolerance) means that no countermeasures are put in place either because the level of risk does not justify the cost or because there will be unavoidable delay before the countermeasures are deployed." So Risk acceptance would be counter to what CompTIA says MUST be done with legacy systems. "Risk mitigation (or remediation) is the overall process of reducing exposure to or the effects of risk factors. If you deploy a countermeasure that reduces exposure to a threat or vulnerability that is risk deterrence (or reduction). Risk reduction refers to controls that can either make a risk incident less likely or less costly (or perhaps both)." That is what CompTIA says MUST be done on a legacy system... reduce risk. So the answer is risk mitigation.

While Mitigation (D) is indeed a common risk management strategy, the specific scenario mentioned is about maintaining a legacy system with known risks for operational purposes. Here's a more detailed comparison to clarify why Acceptance (A) is the more appropriate answer: Acceptance (A) Definition: Acknowledging the risk and deciding to continue operations without any immediate changes because the benefits outweigh the risks, or other risk management strategies are not feasible or cost-effective. Context: The question specifies maintaining a legacy system with known risks. This implies the organization is aware of the risks but chooses to continue using the system due to operational necessity, cost constraints, or other reasons. This aligns well with the concept of risk acceptance.

At this point, the org will be accepting that the Legacy machine is no longer supported, and that things will go wrong.

Key word is legacy..in other words, end of life or vendor support is no longer available. Mitigation SOUNDS good, but in this context, it is wrong. "ACCEPTANCE" is correct..

Remember this " to maintain a legacy system"

After going over the question multiple times I am going with Mitigation. The question says which risk management strategy would an organization use to MAINTAIN a legacy system wirh known risk. You can accept the problem all day but what are you going to do to fix the problem or if it can't be fixed, find a workaround Acceptance means that the organization acknowledges the risks associated with the legacy system but chooses to tolerate them rather than invest resources in changing or replacing the system. Mitigation involves taking actions to reduce the impact or likelihood of risks. In the context of a legacy system, this could involve implementing additional security measures implementing workarounds like segmenting the network to address specific ulnerabilities.

Mitigation works well with Legacy systems with known vulnerability that lacks vendor support.

"...risk management strategies would an organization use to maintain a legacy system" Legacy systems, by definition, means old, likely-non-patchable computers. So, rather than accept the likelihood of them remaining on the corporate network and being susceptible to attacks, one can mitigate such scenario by (1.) reducing/eliminating shared access to them; (2.) removing them from being able to browse the internet; (3.) ensuring only specific users have access to them for specified use-case scenarios. I think, mitigation (option D) is the best option in this case.

It is definitely acceptance. A real world example is applications written in AngularJS. The very next release of Angular would have required a complete and total rewrite. Many Program Managers decided not to take on the cost of completely rewriting a new application so they accepted the risk and did not spend additional resources to upgrade.

Mitigation. There are ways to mitigate vulnerabilities on legacy systems. No company would just accept the risk and do nothing when they have the option to mitigate.

D. Mitigation It's common for organizations to use Legacy systems in their environments. Oftentimes they do not have a choice. Just because they are using Legacy systems does not mean they cannot take any steps to reduce the risk those Legacy systems expose them to. The answer is mitigation because there are still actions they can take to reduce the risk. For example Network segmentation.

I hate these types of questions. Here's what ChatGPT has to say after some pushback: While mitigation is a valid risk management strategy and is often preferred when it's possible to reduce or eliminate risks, it might not be the best choice in the context of maintaining a legacy system with known risks for operational purposes. Here's why: Legacy systems can be expensive and resource-intensive to modify or enhance. Mitigation efforts may require significant investments in terms of time, money, and effort, and these resources might be better spent on more critical projects or system upgrades. Modifying a legacy system to mitigate risks can introduce new vulnerabilities or issues, especially if the system is complex and poorly documented. It's important to tread carefully to avoid inadvertently creating more problems. Making changes to a legacy system can disrupt normal operations and introduce downtime or service interruptions, which might not be acceptable in cases where the legacy system is critical for ongoing operations. In some cases, the legacy system may be so outdated that viable mitigation options are limited or impractical.

A. Acceptance When an organization chooses to maintain a legacy system with known risks for operational purposes, it is essentially accepting the risks associated with that system. This is a risk management strategy known as risk acceptance. In this case, the organization acknowledges the existence of risks but continues to use the system due to various reasons, such as cost-effectiveness, business continuity, or other operational considerations.

Mitigation is accepting the risk while trying to minimize it as you can. Acceptance is simply letting it be. That wouldn't be smart since we still have to use the equipment in daily operations. Must accept while doing our best to mitigate risk

D. Mitigation. The organization would use the risk management strategy of mitigation to maintain a legacy system with known risks for operational purposes. Mitigation strategies are used to reduce the potential impact of risks or likelihood of occurrence. For a legacy system, mitigation measures may include regular maintenance and patching, limiting who has access to the system, and monitoring the system for any signs of compromise. Acceptance involves acknowledging the risks associated with the system but choosing to use it anyway without taking any additional action to reduce the risk. Transference involves transferring the risk to a third party through insurance or outsourcing, while avoidance involves avoiding the use of the system altogether.

I will go with A seeing as how legacy systems have more limitations/ vulnerabilities that cannot be completely eliminated