Register
A Chief Information Security Officer (CISO) is reviewing the results of a gap analysis with an outside cybersecurity consultant. The gap analysis reviewed all procedural and technical controls and found
38.1k views
3 votes
A Chief Information Security Officer (CISO) is reviewing the results of a gap analysis with an outside cybersecurity consultant. The gap analysis reviewed all procedural and technical controls and found the following:

✑ High-impact controls implemented: 6 out of 10
✑ Medium-impact controls implemented: 409 out of 472
✑ Low-impact controls implemented: 97 out of 1000

The report includes a cost-benefit analysis for each control gap. The analysis yielded the following information:

✑ Average high-impact control implementation cost: $15,000; Probable ALE for each high-impact control gap: $95,000
✑ Average medium-impact control implementation cost: $6,250; Probable ALE for each medium-impact control gap: $11,000

Due to the technical construction and configuration of the corporate enterprise, slightly more than 50% of the medium-impact controls will take two years to fully implement.

Which of the following conclusions could the CISO draw from the analysis?

A. Too much emphasis has been placed on eliminating low-risk vulnerabilities in the past
B. The enterprise security team has focused exclusively on mitigating high-level risks
C. Because of the significant ALE for each high-risk vulnerability, efforts should be focused on those controls
D. The cybersecurity team has balanced residual risk for both high and medium controls

User Iravanchi
by
7.2k points

1 Answer

2 votes

Final answer:

The CISO should prioritize efforts on high-impact control gaps due to their high ALE relative to the implementation cost and strategically plan for medium-impact controls that require more time to implement.

Step-by-step explanation:

The Chief Information Security Officer (CISO) analyzing the gap analysis can conclude that due to the significant Average Loss Expectancy (ALE) for each high-risk vulnerability, which is $95,000 compared to the $15,000 implementation cost per control, efforts should be prioritized on implementing the remaining high-impact controls. Although medium-impact controls also need attention as their ALE stands at $11,000 with an implementation cost of $6,250 each, slightly more than 50% will take two years to implement, indicating the need for a strategic timeline. The data does not sufficiently support the conclusions that either too much emphasis has been placed on low-risk vulnerabilities or that the security team has exclusively focused on high-level risks.

Additionally, the data on low-impact controls is insufficient to draw a conclusion since their costs and ALE are not provided. Therefore, with the available information, the CISO might focus on closing high-risk control gaps promptly while planning for the gradual implementation of medium-impact controls over the two-year period.

User Whichdan
by
8.1k points
Ask a Question
Welcome to QAmmunity.org, where you can ask questions and receive answers from other members of our community.

8.7m questions

11.4m answers

Other Questions

“What does it mean when we “rework” copyrighted material?”
Seven basic internal components found in a computer tower
Please help me ! All you do is just put it it all in your own words ! Please this is for my reported card!i don't know how to put it in my own words because my English is not that good!
describe an advance in technology that makes life more enjoyable. what discoveries contribute to this technology?
Disadvantages of using animation in advertising? advantages and disadvantages of using animation for education? advantages and disadvantages of using animation in entertainment?
Link Copied!