A Chief Information Security Officer (CISO) is reviewing the results of a gap analysis with an outside cybersecurity consultant.
The gap analysis reviewed all procedural and technical controls and found the following:
– High-impact controls implemented: 6 out of 10
– Medium-impact controls implemented: 409 out of 472
– Low-impact controls implemented: 97 out of 1000
The report includes a cost-benefit analysis for each control gap.
The analysis yielded the following information:
– Average high-impact control implementation cost: $15,000; Probable ALE for each high-impact control gap: $95,000
– Average medium-impact control implementation cost: $6,250; Probable ALE for each medium-impact control gap: $11,000
Due to the technical construction and configuration of the corporate enterprise, slightly more than 50% of the medium-impact controls will take two years to fully implement.
Which of the following conclusions could the CISO draw from the analysis?
A . Too much emphasis has been placed on eliminating low-risk vulnerabilities in the past
B . The enterprise security team has focused exclusively on mitigating high-level risks
C . Because of the significant ALE for each high-risk vulnerability, efforts should be focused on those controls
D . The cybersecurity team has balanced residual risk for both high and medium controls
Answer: C
Latest CAS-003 Dumps Valid Version with 509 Q&As
Latest And Valid Q&A | Instant Download | Once Fail, Full Refund