CYB$-400$ Security Assessment & Auditing

Discussion: Ethical Decision Making

Scenario: Management has been proud that sensitive customer information stored in company systems has never been accessed by an unauthorized party. This is a major bragging point with the chief technology officer $($CTO$).$ Your supervisor reports directly to the CTO and is always trying to please them. You are responsible for ensuring that this data remains secure$.$

Sensitive data is stored in a database protected by technical and administrative controls. A scheduled audit report reveals a vulnerability that could be exploited. However, there is no immediate evidence of an adversarial presence or unusual internal traffic. In looking into this matter, you find that a technical control is out of date. You missed installing a patch.

While the company has an incident response plan, invoking that will call for a team response. Does this apparently unexploited vulnerability rise to the level of an incident? With a simple upgrade, the system should be secure$.$

What should you do and why?

In the initial response, select and defend a course of action. May consider the following possibilities or craft one of your own:

$1.$ Fix the issue and don't tell anyone. There's no reason to make a big deal of this minor event.

$2.$ Fix the issue and explain to management that there was a problem. They need to know.

$3.$ Don't fix it$.$ Start by reporting the issue internally. Follow the incident response plan.

$4.$ Turn this matter over to a colleague for decisions and action; you may be caught up in the investigation and should avoid any conflict of interest.

I would appreciate your help.

Thank you