The Chief Information Security Officer (CISO) has outlined a five-year plan for the company that includes the following:
• Implement an application security program.
• Reduce the click rate on phishing simulations from 73% to 8%.
• Deploy EDR to all workstations and servers.
• Ensure all systems are sending logs to the SIEM.
• Reduce the percentage of systems with vulnerabilities from 89% to 5%.
Which of the following would BEST aid the CISO in determining whether these goals are obtainable?
A risk assessment would best aid the Chief Information Security Officer (CISO) in determining whether the outlined goals are obtainable. A risk assessment involves identifying, evaluating, and prioritizing potential risks, which is crucial for understanding the current security posture of the organization. It helps identify existing vulnerabilities and gaps in the system, thereby providing insights into what needs to be addressed to achieve the CISO's goals. These goals include implementing an application security program, reducing the click rate on phishing simulations, deploying EDR, and ensuring systems are sending logs to the SIEM. By evaluating these aspects, a risk assessment can help determine if the goals are realistic and achievable within the given timeframe, making it the most relevant and effective approach.
Answer is C. Risk Assessment, CMMI is too broad imo whereas Risk assessment will dive deeper into the specific measures
Option D. An organizational Capability Maturity Model Integration (CMMI) would best aid the CISO in determining whether these goals are obtainable. The CMMI is a process and behavioral model that helps organizations streamline process improvement and encourage behaviors that lead to improved performance. By assessing the maturity of the organization’s processes and practices, the CMMI can help determine the feasibility of the CISO’s goals. It can identify strengths and weaknesses in the current approach, and suggest areas for improvement that would increase the likelihood of achieving the outlined goals. While the other options (asset inventory, third-party audit, risk assessment) can provide valuable information and may be part of the overall strategy, they do not provide the comprehensive view of organizational capabilities offered by the CMMI.
C. A risk assessment would BEST aid the CISO in determining whether these goals are obtainable. A risk assessment involves identifying, evaluating, and prioritizing risks. This process can help the CISO understand the current security posture of the organization, identify gaps or areas of concern, and determine the feasibility of the outlined goals. It can provide valuable insights into whether the goals are realistic given the organization’s current situation and resources. While the other options (An asset inventory, A third-party audit, An organizational CMMI) can provide useful information and contribute to the overall security strategy, they do not directly address the question of whether the specific goals outlined by the CISO are obtainable
The best answer is C. A risk assessment. A risk assessment will help the CISO determine the current state of the organization's security posture, identify gaps, and evaluate the feasibility of achieving the outlined goals within the five-year plan.
So he knows very specifically (73, 89 - those dont look to me like rough estimations) how many %'s of assets have vulnerabilities (hence he knows what assets he has and which ones are vulnerable) meaning he already have A and he already did C (or B). Leaving out D. On top of that this is exactly what CMMI is for xD
Implementing an Organizational Capability Maturity Model Integration (CMMI) could indeed aid the CISO in understanding the organization's process maturity and efficiency. However, when considering the specific goals outlined by the CISO for the five-year plan, a risk assessment (option C) would likely be the more directly relevant and effective approach to determine the feasibility of achieving those goals. The Capability Maturity Model Integration (CMMI) generally focuses on assessing and improving an organization's processes and practices. While it can provide valuable insights into process maturity and efficiency, it may not directly address the specific security objectives outlined in the plan, such as reducing phishing click rates, deploying EDR, ensuring log collection for SIEM, or reducing system vulnerabilities.
I want to believe this, but I googled "COMPTIA CMMI" and could not find anything that hints this is what COMPTIA expects
https://support.isaca.org/s/article/What-is-the-CMMI-Cybermaturity-Platform-1598331743391
The KRI are identified, in a 5-year period many changes can occur in the assets and their exposition to the risk.