To determine the correct priority, you must filter the options by applying the rules from Security Policy 1006 in the order of importance dictated by the scenario.
“The Company shall prioritize patching of publicly available systems and services over patching of internally available system.”
Option A: Internal System
Option B: External System (Keep)
Option C: External System (Keep)
Option D: Internal System
Result: Eliminate Options A and D. We are now choosing between B and C.
“In situations where a choice must be made between confidentiality and availability, the Company shall prioritize confidentiality of data over availability of systems and data.”
To apply this, you must read the CVSS v3.1 Vector String for the remaining options. The relevant metrics are C (Confidentiality) and A (Availability).
Option B (CAP.SHIELD): C:H / I:N / A:N
Confidentiality: High (C:H)
Availability: None (A:N)
Interpretation: This vulnerability allows for a significant breach of data confidentiality.
Option C (LOKI.DAGGER): C:N / I:N / A:H
Confidentiality: None (C:N)
Availability: High (A:H)
Interpretation: This vulnerability allows for a significant disruption of service (DoS).
Conclusion: Since the policy explicitly prioritizes Confidentiality (Option B) over Availability (Option C), Option B is the highest priority.
The exam expects you to parse raw CVSS strings to assess risk. Here is the breakdown for the correct answer (Option B):
Metric
Code
Value
Meaning
AV
AV:N
Network
The vulnerability is exploitable remotely via the network (most dangerous).
AC
AC:L
Low
No complex conditions are required to exploit.
PR
PR:N
None
No privileges are required (unauthenticated).
UI
UI:N
None
No user interaction is required.
C
C:H
High
Confidentiality Impact. Total loss of confidentiality.
A
A:N
None
Availability Impact. No impact to uptime.
Submit