🔥 3-day streak
ISC2 CISSP — Certified Information Systems Security Professional127 / 129
Question 127 of 129

A security analyst runs a monthly authenticated vulnerability scan across a mixed environment. The report lists over 4,000 findings ranked by raw CVSS base score. Management asks the analyst to prioritize remediation efforts to reduce actual organizational risk most effectively. Several 'Critical' CVSS findings are on internal test servers with no sensitive data and no external exposure, while a 'High' finding affects an internet-facing payment processing system holding cardholder data. What should the analyst do FIRST to prioritize remediation?

Reviewed for accuracy · Report an issueNext question