An end-of-life (EOL) system no longer receives security patches, making it inherently vulnerable. Since the system is also business-critical, it cannot be decommissioned. The most effective preventative control in this scenario is isolation. By placing the system in a segmented network (e.g., a VLAN or behind a firewall) with strict access control lists, its attack surface is drastically reduced. This compensating control prevents unauthorized entities from communicating with the vulnerable system, thereby preventing exploitation. It allows the critical system to continue operating while mitigating the risk posed by its unpatchable state.

A. Monitoring: This is a detective control, not a preventative one. It can alert administrators to an attack but does not stop the initial exploitation from occurring.

C. Decommissioning: This is not a viable option because the question specifies the system is "business-critical," meaning it is essential for operations and cannot be removed.

D. Encryption: This protects data at rest or in transit from unauthorized disclosure but does not prevent an attacker from exploiting a software vulnerability to gain control of the system itself.

---

1. National Institute of Standards and Technology (NIST). (2020). Security and Privacy Controls for Information Systems and Organizations (Special Publication 800-53

Revision 5).

Control SC-7

Boundary Protection: The discussion section for this control states

"Boundary protection is a security design principle that involves isolating critical system components... This is achieved by controlling the flow of information between network segments." This directly supports using isolation for vulnerable

critical systems.

Control SI-2

Flaw Remediation: The discussion for this control acknowledges that for some components

flaw remediation may not be possible (as with EOL systems) and that organizations should "apply other mitigations." Network isolation is a primary example of such a mitigation.

2. University of California

Berkeley. (2023). Minimum Security Standard for Networked Devices. Information Security Office.

Section 5.1

Unsupported Software: This standard mandates that "Devices running unsupported software must be isolated from the network" or have other compensating controls approved. This illustrates that isolation is a standard

required practice for EOL systems in a formal security program.

3. Kim

D.

& Solomon

M. G. (2021). Fundamentals of Information Systems Security (4th ed.). Jones & Bartlett Learning.

In discussions on defense-in-depth and securing legacy systems

the text emphasizes network segmentation and isolation as key compensating controls when patching is not an option. It describes how firewalls and VLANs are used to create secure enclaves for critical assets that cannot be updated. (Chapter on Network Security).