A security analyst is prioritizing vulnerabilities for remediation. A critical vulnerability affects a legacy system that is scheduled for decommissioning in 6 months. How should this be handled?

Correct answer: Implement compensating controls or isolate the system from critical processes

Option C is correct because when a critical vulnerability affects a system that will be decommissioned in six months, the risk-proportionate response is to implement compensating controls such as network isolation, tighter access restrictions, or enhanced monitoring, or to segregate the system from critical processes, thereby reducing exposure without investing heavily in a full remediation for a soon-to-be-retired asset. Option A is incorrect because immediately remediating a critical finding on a system slated for decommission may be disproportionately costly and resource-intensive relative to the residual risk, especially if compensating controls can achieve acceptable risk reduction. Option B is incorrect because simply postponing all action until decommissioning leaves the vulnerability fully exploitable for six months, which is an unacceptable risk posture for a critical-rated finding. Option D is incorrect because accepting risk without any further action is appropriate only for low-severity findings after a formal documented risk acceptance process, not for critical vulnerabilities that remain in production.