CompTIA CASP+ (CAS-003) — Question 138

An information security manager conducted a gap analysis, which revealed a 75% implementation of security controls for high-risk vulnerabilities, 90% for medium vulnerabilities, and 10% for low-risk vulnerabilities. To create a road map to close the identified gaps, the assurance team reviewed the likelihood of exploitation of each vulnerability and the business impact of each associated control. To determine which controls to implement, which of the following is the MOST important to consider?

Answer options

• A. KPI
• B. KRI
• C. GRC
• D. BIA

Correct answer: B

Explanation

The most crucial factor to consider is KRI (Key Risk Indicator), as it helps assess the likelihood of vulnerabilities being exploited. While KPI (Key Performance Indicator) measures effectiveness, GRC (Governance, Risk Management, and Compliance) focuses on broader governance issues, and BIA (Business Impact Analysis) evaluates the effects of incidents rather than the risks themselves.