nerdexam
ExamsCAS-003Questions#29
CompTIA

CAS-003 · Question #29

CAS-003 Question #29: Real Exam Question with Answer & Explanation

The correct answer is C: Because of the significant ALE for each high-risk vulnerability, efforts should be focused on those. The cost-benefit data makes the answer clear through financial analysis. For high-impact controls: 4 gaps remain, each with an implementation cost of $15,000 and a probable Annual Loss Expectancy (ALE) of $95,000. That is a 6.3:1 return on investment for each gap closed. For medi

Question

A Chief Information Security Officer (CISO) is reviewing the results of a gap analysis with an outside cybersecurity consultant. The gap analysis reviewed all procedural and technical controls and found the following: High-impact controls implemented: 6 out of 10 Medium-impact controls implemented: 409 out of 472 Low-impact controls implemented: 97 out of 1000 The report includes a cost-benefit analysis for each control gap. The analysis yielded the following information: Average high-impact control implementation cost: $15,000; Probable ALE for each high-impact control gap: $95,000 Average medium-impact control implementation cost: $6,250; Probable ALE for each medium-impact control gap: $11,000 Due to the technical construction and configuration of the corporate enterprise, slightly more than 50% of the medium-impact controls will take two years to fully implement. Which of the following conclusions could the CISO draw from the analysis?

Options

  • AToo much emphasis has been placed on eliminating low-risk vulnerabilities in the past
  • BThe enterprise security team has focused exclusively on mitigating high-level risks
  • CBecause of the significant ALE for each high-risk vulnerability, efforts should be focused on those
  • DThe cybersecurity team has balanced residual risk for both high and medium controls

Explanation

The cost-benefit data makes the answer clear through financial analysis. For high-impact controls: 4 gaps remain, each with an implementation cost of $15,000 and a probable Annual Loss Expectancy (ALE) of $95,000. That is a 6.3:1 return on investment for each gap closed. For medium-impact controls: 63 gaps remain at $6,250 cost vs. $11,000 ALE - still positive ROI but far lower. Low-impact controls have an extremely low implementation rate (9.7%) but they are, by definition, low risk. Option C correctly identifies that the significant ALE associated with high-risk control gaps means efforts should be directed there first. Option A is unsupported speculation about past priorities. Option B is factually incorrect - only 60% of high-impact controls are implemented, indicating they have NOT been exclusively focused on. Option D is incorrect because the data shows high-impact controls are significantly under-implemented (60%), meaning residual risk is NOT balanced.

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full CAS-003 Practice