Secure DVR web interface exposed to public internet

We got an email from Black Talon regarding Mark Steins office - their DVR web interface login page is publicly accessible and is not secure (http) , do we have a specific policy for handling this? They gave the options to Accept the Risk, Implement a Fix, or "Apply Compensatory Controls" . I believe we ran into some issues trying to fix this in the past (upgrading firmware did not help, etc)

Don't know about our policy, but most security companies won't allow DVR to be accessible in public through port forwarding. They allow maximum access through apps (cloud). ( They are even hosted on separate local networks, without access from other networks)