Item #2 is your answer. Why be concerned if you don’t have to be compliant?
I would also ask EEye what the report means on this specific vulnerability. In a way it may be saying just turn off optional services (as they should always be disabled).
Some ways to measure risk include:
How valuable is the asset?
How much of a threat exists?
What is the impact if the system/service is exploited?
Is the vulnerability rated high/medium/low?
Can the risk be reduced and how easy (technical & cost) can it be reduced?
What is the probability of the vulnerability being exploited?
You are asking yourself:
What are you protecting?
What can happen to it? – How can it happen?
What does it mean to the business?
How can the risk be reduced?
How likely is it to happen given the existing conditions?
Risk assessment goal: identify & prioritize risks.
Risk management goal: manage risks to an acceptable level.
– Mitigate: select controls; implement; monitor
– Transfer: purchase insurance
– Accept: do nothing
– Avoid: discontinue activity