ISM-0302 Removed History 2008 Where known vulnerabilities cannot be patched, agencies should use other protective measures as determined by a risk assessment.