CompTIA CASP+ (CAS-003) — Question 61

The Chief Information Officer (CIO) has been asked to develop a security dashboard with the relevant metrics. The board of directors will use the dashboard to monitor and track the overall security posture of the organization. The CIO produces a basic report containing both KPI and KRI data in two separate sections for the board to review.
Which of the following BEST meets the needs of the board?

Answer options

• A. KRI: - Compliance with regulations - Backlog of unresolved security investigations - Severity of threats and vulnerabilities reported by sensors - Time to patch critical issues on a monthly basis KPI: - Time to resolve open security items - % of suppliers with approved security control frameworks - EDR coverage across the fleet - Threat landscape rating
• B. KRI: - EDR coverage across the fleet - Backlog of unresolved security investigations - Time to patch critical issues on a monthly basis - Threat landscape rating KPI: - Time to resolve open security items - Compliance with regulations - % of suppliers with approved security control frameworks - Severity of threats and vulnerabilities reported by sensors
• C. KRI: - EDR coverage across the fleet - % of suppliers with approved security control framework - Backlog of unresolved security investigations - Threat landscape rating KPI: - Time to resolve open security items - Compliance with regulations - Time to patch critical issues on a monthly basis - Severity of threats and vulnerabilities reported by sensors
• D. KPI: - Compliance with regulations - % of suppliers with approved security control frameworks - Severity of threats and vulnerabilities reported by sensors - Threat landscape rating KRI: - Time to resolve open security items - Backlog of unresolved security investigations - EDR coverage across the fleet - Time to patch critical issues on a monthly basis

Correct answer: A

Explanation

Option A is the best choice because it effectively balances both KRI and KPI metrics that provide a comprehensive view of the organization's security posture, covering compliance, unresolved security investigations, and threat severity. The other options either misplace the relevance of certain KPIs and KRIs or lack critical metrics that would be necessary for the board's oversight.