Exam CAS-004 topic 1 question 391 discussion

Answer is C. Risk Assessment, CMMI is too broad imo whereas Risk assessment will dive deeper into the specific measures

A risk assessment involves evaluating the current state of security, identifying potential threats, and assessing the likelihood and impact of those threats. It helps the CISO: Evaluate the current security posture – This includes understanding where the organization stands in terms of application security, phishing awareness, vulnerability management, and other key areas. Prioritize objectives – A risk assessment can help identify the most critical vulnerabilities and areas of concern, allowing the CISO to align the goals with the current risk landscape. Set realistic targets – By assessing the risks, the CISO can better determine whether the goal percentages (e.g., reducing phishing click rate from 73% to 8%) are achievable, based on the organization’s current risk and resource levels. AND Measure success and progress – A comprehensive risk assessment can be used to track progress over time and help adjust strategies accordingly.

The KRI are identified, in a 5-year period many changes can occur in the assets and their exposition to the risk.

The best answer is C. A risk assessment. A risk assessment will help the CISO determine the current state of the organization's security posture, identify gaps, and evaluate the feasibility of achieving the outlined goals within the five-year plan.

https://support.isaca.org/s/article/What-is-the-CMMI-Cybermaturity-Platform-1598331743391

C. A risk assessment would BEST aid the CISO in determining whether these goals are obtainable. A risk assessment involves identifying, evaluating, and prioritizing risks. This process can help the CISO understand the current security posture of the organization, identify gaps or areas of concern, and determine the feasibility of the outlined goals. It can provide valuable insights into whether the goals are realistic given the organization’s current situation and resources. While the other options (An asset inventory, A third-party audit, An organizational CMMI) can provide useful information and contribute to the overall security strategy, they do not directly address the question of whether the specific goals outlined by the CISO are obtainable

Implementing an Organizational Capability Maturity Model Integration (CMMI) could indeed aid the CISO in understanding the organization's process maturity and efficiency. However, when considering the specific goals outlined by the CISO for the five-year plan, a risk assessment (option C) would likely be the more directly relevant and effective approach to determine the feasibility of achieving those goals. The Capability Maturity Model Integration (CMMI) generally focuses on assessing and improving an organization's processes and practices. While it can provide valuable insights into process maturity and efficiency, it may not directly address the specific security objectives outlined in the plan, such as reducing phishing click rates, deploying EDR, ensuring log collection for SIEM, or reducing system vulnerabilities.

Option D. An organizational Capability Maturity Model Integration (CMMI) would best aid the CISO in determining whether these goals are obtainable. The CMMI is a process and behavioral model that helps organizations streamline process improvement and encourage behaviors that lead to improved performance. By assessing the maturity of the organization’s processes and practices, the CMMI can help determine the feasibility of the CISO’s goals. It can identify strengths and weaknesses in the current approach, and suggest areas for improvement that would increase the likelihood of achieving the outlined goals. While the other options (asset inventory, third-party audit, risk assessment) can provide valuable information and may be part of the overall strategy, they do not provide the comprehensive view of organizational capabilities offered by the CMMI.