Question: 1/50
A security manager is selecting a risk treatment option for a legacy web application that cannot be patched for six months. A compensating control (WAF) will reduce likelihood, but the residual risk remains above the organization's risk appetite. What is the BEST next step?
Formally accept the residual risk because a compensating control is in place
Implement the WAF and request a documented risk exception signed by appropriate senior management
Immediately retire the application regardless of business impact
Transfer the risk by purchasing additional cyber insurance coverage