A Chief Information Security Officer (CISO) is reviewing the results of a gap analysis with an outside cybersecurity consultant. The gap analysis reviewed all procedural and technical controls and found the following: High-impact controls implemented: 6 out of 10 Medium-impact controls implemented: 409 out of 472 Low-impact controls implemented: 97 out of 1000 The report includes a cost-benefit analysis for each control gap. The analysis yielded the following information: Average high-impact control implementation cost: $15,000; Probable ALE for each high-impact control gap: $95,000 Average medium-impact control implementation cost: $6,250; Probable ALE for each medium-impact control gap: $11,000 Due to the technical construction and configuration of the corporate enterprise, slightly more than 50% of the medium-impact controls will take two years to fully implement. Which of the following conclusions could the CISO draw from the analysis?
A) Too much emphasis has been placed on eliminating low-risk vulnerabilities in the past
B) The enterprise security team has focused exclusively on mitigating high-level risks
C) Because of the significant ALE for each high-risk vulnerability, efforts should be focused on those controls
D) The cybersecurity team has balanced residual risk for both high and medium controls
Correct Answer:
Verified
Q14: A server (10.0.0.2) on the corporate network
Q15: An organization has employed the services of
Q16: One of the objectives of a bank
Q17: A company monitors the performance of all
Q18: A company has entered into a business
Q20: A security analyst is reviewing the corporate
Q21: The board of a financial services company
Q22: Management is reviewing the results of a
Q23: A software development team has spent the
Q24: A company wants to perform analysis of
Unlock this Answer For Free Now!
View this answer and more for free by performing one of the following actions
Scan the QR code to install the App and get 2 free unlocks
Unlock quizzes for free by uploading documents