A Chief Information Security Officer (CISO) is reviewing the results of a gap analysis with an outside cybersecurity consultant.
The gap analysis reviewed all procedural and technical controls and found the following: -> High-impact controls implemented: 6 out of 10 -> Medium-impact controls implemented: 409 out of 472 -> Low-impact controls implemented: 97 out of 1000 The report includes a cost-benefit analysis for each control gap.
The analysis yielded the following information: -> Average high-impact control implementation cost: $15,000; Probable ALE for each high-impact control gap: $95,000 -> Average medium-impact control implementation cost: $6,250; Probable ALE for each medium-impact control gap: $11,000 Due to the technical construction and configuration of the corporate enterprise, slightly more than 50% of the medium-impact controls will take two years to fully implement.
Which of the following conclusions could the CISO draw from the analysis?
Click on the arrows to vote for the correct answer
A. B. C. D.C.
Based on the information provided, the CISO could draw the following conclusion:
C. Because of the significant ALE for each high-risk vulnerability, efforts should be focused on those controls.
The gap analysis report indicates that 6 out of 10 high-impact controls have been implemented, which means that there are still 4 high-impact control gaps that need to be addressed. The cost-benefit analysis for each high-impact control gap indicates that the probable ALE (Annualized Loss Expectancy) for each gap is $95,000, which is a significant amount. Therefore, the CISO could conclude that efforts should be focused on implementing the remaining high-impact controls in order to reduce the potential financial impact of a security incident.
The report also indicates that 409 out of 472 medium-impact controls have been implemented, which means that there are still 63 medium-impact control gaps that need to be addressed. The cost-benefit analysis for each medium-impact control gap indicates that the probable ALE for each gap is $11,000. However, slightly more than 50% of the medium-impact controls will take two years to fully implement due to the technical construction and configuration of the corporate enterprise. Therefore, the CISO could conclude that efforts should be made to address the medium-impact control gaps that can be implemented in the short term while planning for the longer-term implementation of the remaining medium-impact controls.
Option A (Too much emphasis has been placed on eliminating low-risk vulnerabilities in the past) is not supported by the information provided in the report. The report only indicates that 97 out of 1000 low-impact controls have been implemented, but it does not provide any information about the effectiveness or importance of these controls.
Option B (The enterprise security team has focused exclusively on mitigating high-level risks) is also not supported by the information provided in the report. The report indicates that a significant number of medium-impact controls have been implemented, which suggests that efforts have been made to address a range of risk levels.
Option D (The cybersecurity team has balanced residual risk for both high and medium controls) is not an accurate conclusion based on the information provided in the report. The report does not provide any information about residual risk or how the cybersecurity team has balanced risk across different control levels.