CompTIA CASP+ (CAS-004) — Question 290

The Chief Information Security Officer (CISO) has outlined a five-year plan for the company that includes the following:

• Implement an application security program.
• Reduce the click rate on phishing simulations from 73% to 8%.
• Deploy EDR to all workstations and servers.
• Ensure all systems are sending logs to the SIEM.
• Reduce the percentage of systems with vulnerabilities from 89% to 5%.

Which of the following would BEST aid the CISO in determining whether these goals are obtainable?

Answer options

• A. An asset inventory
• B. A third-party audit
• C. A risk assessment
• D. An organizational CMMI

Correct answer: C

Explanation

A risk assessment is crucial as it identifies potential risks and helps evaluate if the goals set by the CISO are realistic based on the current threat landscape and resource availability. An asset inventory provides details on assets but does not assess risks, while a third-party audit may offer an external perspective but is not focused on feasibility. An organizational CMMI assesses process maturity, which is not directly related to the specific goals outlined.