In the event that a password policy cannot be implemented for a legacy application, which of the following is the BEST course of action?
Click on the arrows to vote for the correct answer
A. B. C. D.B.
When a legacy application cannot support a password policy, the BEST course of action is to implement compensating controls. Compensating controls are security measures that are implemented to mitigate the risk of not being able to implement a security control.
Option A, updating the application security policy, is not the best course of action since it does not address the specific issue of a legacy application not being able to support a password policy. Option D, performing an application security assessment, may be a good idea, but it does not provide a solution to the specific issue at hand.
Option C, submitting a waiver for the legacy application, is also not the best course of action. Waivers should only be used when other options have been exhausted and there is no other way to mitigate the risk. However, in this case, there is a viable option in implementing compensating controls.
Therefore, the BEST course of action is to implement compensating controls, such as implementing additional authentication factors or using biometric authentication, to mitigate the risk of not being able to implement a password policy. These compensating controls should be documented and regularly reviewed to ensure that they continue to effectively mitigate the risk.