The payroll system is not meeting security policy due to missing OS security patches. We cannot apply the patches to the system because the vendor states that the system is only supported on the current OS patch level. Therefore, we need another way of securing the system.
We can improve the security of the system and the other systems on the network by isolating the payroll system on a secure network to limit its contact with other systems. This will reduce the likelihood of a malicious user accessing the payroll system and limit any damage to other systems if the payroll system is attacked.
Incorrect Answers:
B: An application layer firewall may provide some protection to the application. However, the operating system is vulnerable due to being unpatched. It is unlikely that an application layer firewall will protect against the operating system vulnerabilities.
C: Monitoring the system's security log for unauthorized access to the payroll application will not actually provide any protection against unauthorized access. It would just enable you to see that unauthorized access has occurred.
D: Reconciling the payroll transactions on a daily basis would keep the accounts up to date but it would provide no protection for the system and so does not mitigate the vulnerability of missing OS patches as required in this question.

Of the options given, the BEST risk calculation methodology would be Potential Loss x Event Probability x Control Failure Probability. This exam is about computer and data security so `loss' caused by risk is not necessarily a monetary value.
For example:
Potential Loss could refer to the data lost in the event of a data storage failure. Event probability could be the risk a disk drive or drives failing. Control Failure Probability could be the risk of the storage RAID not being able to handle the number of failed hard drives without losing data.

RFI (request for information)
The first phase in the contract requirement process, in which a company sends out notices to prospective vendors or contractors asking them for their experience and qualification in filling the business's need for services or equipment.
RFP (request for proposal)
The second phase in the contract requirement process, in which a company asks prospective vendors or contractors for their proposed solutions to the business's needs.
RFQ (request for quote)
The third phase in the contract requirement process, in which a company negotiates the financial details of their relationship with prospective vendors or contractors.