There is a delay between the time when a security vulnerability is first published, and the time when a patch is delivered. What should be carried out FIRST to mitigate the risk during this time period?

The appropriate course of action in this scenario is to identify the vulnerable systems and apply compensating controls. This step is crucial because it allows for a proactive approach to risk management. By specifically targeting the systems that are at risk due to the published vulnerability, you can determine where to implement protective measures.

Compensating controls act as an alternative safeguard that provides similar levels of security until the necessary software patch can be applied. These controls might include implementing additional security measures such as increased monitoring, access controls, or segmented networks to minimize the impact of any potential exploitation of the vulnerability.

This method prioritizes risk assessment and mitigation based on the specific context of the organization's environment, thereby reducing the attack surface effectively. Once the vulnerable systems are identified and mitigated with appropriate controls, it sets the stage for other actions, such as communication and monitoring, to further enhance overall security while awaiting the patch.

While minimizing the use of vulnerable systems, communicating the vulnerability to users, and updating intrusion detection systems are important as part of an overall risk management strategy, they are secondary actions that should complement the primary task of identifying vulnerabilities and applying compensating measures.