Question 421 of 510
Governance, Risk and CompliancemediumMultiple ChoiceObjective-mapped

Quick Answer

The answer is risk acceptance with compensating controls such as network segmentation and strict access controls. This is correct because when a legacy unpatched system is critical to operations but cannot be patched due to vendor end-of-life, the residual risk must be formally accepted while deploying compensating controls to reduce the attack surface. Network segmentation, using VLANs and ACLs, contains potential exploitation, and strict access controls like least privilege and MFA limit exposure, aligning with the NIST SP 800-37 risk management framework. On the CompTIA SecurityX CAS-004 exam, this scenario tests your ability to distinguish risk treatment strategies—specifically that acceptance does not mean ignoring risk but rather acknowledging it with active mitigations. A common trap is choosing risk mitigation (patching) or avoidance (removing the system), which are impossible here. Memory tip: “ACCEPT with COMPENSATION” — you accept the vulnerability but compensate with layers of defense.

CAS-004 Governance, Risk and Compliance Practice Question

This CAS-004 practice question tests your understanding of governance, risk and compliance. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A security analyst is reviewing the results of a vulnerability scan and identifies a critical vulnerability in a legacy application that cannot be patched because it is no longer supported by the vendor. The application is critical for business operations. Which of the following risk treatment strategies should the organization implement?

Question 1mediummultiple choice
Read the full NAT/PAT explanation →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Risk acceptance with compensating controls such as network segmentation and strict access controls.

Option D is correct because when a legacy application cannot be patched due to vendor end-of-life, the organization must accept the residual risk while implementing compensating controls. Network segmentation (e.g., VLANs, ACLs) and strict access controls (e.g., least privilege, MFA) reduce the attack surface and contain potential exploitation, aligning with the risk acceptance strategy under the NIST SP 800-37 risk management framework.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Risk transfer by purchasing cyber insurance to cover potential losses.

    Why it's wrong here

    Insurance does not treat the vulnerability; it only provides financial recovery.

  • Risk mitigation by applying a vendor-supplied patch.

    Why it's wrong here

    No patch is available as the vendor no longer supports the application.

  • Risk avoidance by decommissioning the application and migrating to a new system.

    Why it's wrong here

    Avoidance would eliminate the risk but is not feasible due to business criticality.

  • Risk acceptance with compensating controls such as network segmentation and strict access controls.

    Why this is correct

    Acceptance acknowledges the residual risk, and compensating controls reduce likelihood/impact.

    Related concept

    Read the scenario before looking for a memorised answer.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates often confuse risk acceptance with doing nothing, but in CAS-004, risk acceptance requires documented compensating controls to reduce residual risk to an acceptable level, not simply ignoring the vulnerability.

Detailed technical explanation

How to think about this question

Compensating controls for unpatched legacy applications often involve placing the application on a separate VLAN with strict firewall rules (e.g., deny all inbound except specific IPs), implementing host-based intrusion detection (e.g., OSSEC), and using application-layer proxies to inspect traffic. In real-world scenarios, organizations may also deploy virtual patching via a web application firewall (WAF) like ModSecurity to block known exploit patterns without modifying the legacy code.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A help-desk technician troubleshoots why a newly connected PC cannot reach shared printers on the same floor. The cable is good, the switch port is active, but the PC is in VLAN 20 and the printers are in VLAN 10. The uplink trunk only allows VLAN 10. A trunk being up does not mean every VLAN crosses it.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related CAS-004 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free CAS-004 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this CAS-004 question test?

Governance, Risk and Compliance — This question tests Governance, Risk and Compliance — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Risk acceptance with compensating controls such as network segmentation and strict access controls. — Option D is correct because when a legacy application cannot be patched due to vendor end-of-life, the organization must accept the residual risk while implementing compensating controls. Network segmentation (e.g., VLANs, ACLs) and strict access controls (e.g., least privilege, MFA) reduce the attack surface and contain potential exploitation, aligning with the risk acceptance strategy under the NIST SP 800-37 risk management framework.

What should I do if I get this CAS-004 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

2 more ways this is tested on CAS-004

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. During a risk assessment, the analyst identifies that a legacy system containing sensitive data cannot be patched due to vendor end-of-life. The system is critical to operations. Which risk treatment strategy is MOST appropriate?

medium
  • A.Transfer by purchasing cyber insurance
  • B.Avoidance by decommissioning the system
  • C.Acceptance by documenting the risk
  • D.Mitigation by implementing compensating controls

Why D: Implementing compensating controls reduces the risk while allowing the system to operate. Option A may not be feasible; Option C does not reduce the risk; Option D is less proactive.

Variation 2. A security analyst at a large enterprise notices that several servers have missing security patches that are critical. The patch management process requires approval from the change advisory board (CAB) which meets weekly. The next meeting is in three days, but the vulnerability is being actively exploited. What should the analyst do?

medium
  • A.Implement temporary compensating controls until the CAB approves.
  • B.Apply the patches immediately without waiting for CAB approval.
  • C.Notify the system owners and leave the decision to them.
  • D.Document the issue and wait for the CAB meeting.

Why A: C is correct. Implementing compensating controls reduces immediate risk while awaiting formal approval. Immediate patching bypasses change control and may cause instability. Waiting is too slow. Leaving decision to owners abdicates responsibility.

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This CAS-004 practice question is part of Courseiva's free CompTIA certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the CAS-004 exam.