The risk manager is reviewing a report which identifies a requirement to keep a business critical legacy system
operational for the next two years. The legacy system is out of support because the vendor and security
patches are no longer released. Additionally, this is a proprietary embedded system and little is documented
and known about it. Which of the following should the Information Technology department implement to reduce
the security risk from a compromise of this system?

A.
Virtualize the system and migrate it to a cloud provider.

B.
Segment the device on its own secure network.

C.
Install an antivirus and HIDS on the system.

D.
Hire developers to reduce vulnerabilities in the code.