Certified in Risk and Information Systems Control (CRISC) — Question 185

Which of the following is the BEST key control indicator (KCI) for a vulnerability management program?

Answer options

• A. Percentage of high-risk vulnerabilities addressed
• B. Percentage of high-risk vulnerabilities missed
• C. Defined thresholds for high-risk vulnerabilities
• D. Number of high-risk vulnerabilities outstanding

Correct answer: A

Explanation

The correct answer, A, emphasizes the importance of actively addressing high-risk vulnerabilities, which is critical for managing security risks effectively. Options B and D focus on missed vulnerabilities and outstanding issues, which do not provide a proactive measure of the program's effectiveness. Option C, while relevant, does not measure performance outcomes directly.