The Chief Information Officer (CIO) has been asked to develop a security dashboard with the relevant metrics. The board of directors will use the dashboard to monitor and track the overall security posture of the organization. The CIO produces a basic report containing both KPI and KRI data in two separate sections for the board to review.
Which of the following BEST meets the needs of the board?
A. KRI:
– Compliance with regulations
– Backlog of unresolved security investigations
– Severity of threats and vulnerabilities reported by sensors- Time to patch critical issues on a monthly basis KPI:
– Time to resolve open security items
– % of suppliers with approved security control frameworks
– EDR coverage across the fleet
– Threat landscape rating
B. KRI:
– EDR coverage across the fleet
– Backlog of unresolved security investigations
– Time to patch critical issues on a monthly basis- Threat landscape rating KPI:
– Time to resolve open security items
– Compliance with regulations
– % of suppliers with approved security control frameworks
– Severity of threats and vulnerabilities reported by sensors
C. KRI:
– EDR coverage across the fleet
– % of suppliers with approved security control framework
– Backlog of unresolved security investigations- Threat landscape rating KPI:
– Time to resolve open security items
– Compliance with regulations
– Time to patch critical issues on a monthly basis
– Severity of threats and vulnerabilities reported by sensors
D. KPI:
– Compliance with regulations
– % of suppliers with approved security control frameworks
– Severity of threats and vulnerabilities reported by sensors- Threat landscape rating KRI:
– Time to resolve open security items
– Backlog of unresolved security investigations
– EDR coverage across the fleet
– Time to patch critical issues on a monthly basis
How to PASS CAS-004 in First Attempt?FULL Printable PDF and Software. VALID exam to help you PASS. |
 |
Good remarks by everyone, but you can’t assume that this was a typo in the answer D. It is what it shows it is, and as you all stated, “EDR coverage across the fleet” is a KPI metric, and not KRI, which effectively eliminates D.
You all keep saying that, “time to patch critical issues on a monthly basis” is a KPI, but it is not. The key word is “critical” – according to all-in-one exam guide by Nicholas Lane, pages 128-129, clearly states that the percentage of critical systems missing patches is a KRI while patch latency is a KPI – you can’s just say oh quantifiable metrics, it does not work like that. This is not black-white kinda of deal, this is that grey area, for god’s sake, this is risk management question, it’s never straight forward.
I am confident that an A is the answer.
Problem is, since you are always working towards eliminating as much risk as you practically can, the same item might seem like both a KPI and KRI. For example: a company wants “compliance with regulations” to be 100%. So if compliance is 50%, that tells the company their performance in that regard. Or another way to look at it: there is at 50% risk of being out of compliance.
If “compliance with regulations” is 90%, up from 70%. I would say that shows good performance. On the other hand, if “compliance with regulations” is only 60%, down form 70%, I would say that is a key risk factor.
What is problematic in your answers is the fact that D switches the KRI and KPI. Notice that KPI is first vice the other answers. Is this an error or not?? Consequently, Compliance with regulations is a KPI in D, not a KRI. I am good with D if they are not switched.
Per CASP+ All-in-One (pg. 128-129):
KPI – Are quantifiable metrics used to evaluate the success of technologies, process or people meeting an organization’s performance goals.
KRI – Measure the amount of risk an activity brings to an organization… Are certain activities indicating that increased risk exposures are happening, or likely to happen?
“If you are confused about the difference between KPIs and KRIs, think of KPIs as a measure of how well thinks are going now whereas KRIs can help measure how badly things might turn out.”
Formatting on this question is trash, but I agree with Halfkal.
I totally agree with Halfkal, my concern now is: what I’ve to respond in the Casp+ exam? D or A? To sum, this PassLeader answer are the same we’ll have in the official exam? Casp has incorrect answer?
Thanks
Halfkal – I don’t like it. I totally respect your logic and approach – KUDOS! However this question sucks and I can’t seem to come up with the same set of KPI / KRIs that you’ve come out with. It’s all fuzzy math to me. No matter how I shake it – I can’t make it work any other way.
Your solution makes the most sense – tipping my hat to you – sir.
it’s D
KRI is Key Risk indiactors and KPI is Key Performance Indicators
KPI:
Time to resolve open security items – time taken is a performance indictor
Backlog of unresolved security investigations – Backlogs shows performance
EDR coverage across the fleet – Which monitors operating conditions which is a performance indicator
Time to patch critical issues on monthly basis – Time indicates performance
KRI:
Compliance with regulations – Not in compliance is a risk factor
% of suppliers with approved security control frameworks – Shows how many suppliers are with security frameworks
Severity of threats and vulnerabilities reported by sensors – Indicates severity of attacks
Threat landscape rating – Provides the overview of threats and their trends
D makes no sense to me with what you said lol – This is a crappy question
KPI:
Time to resolve open security items – Is KRI in D
Backlog of unresolved security investigations – Is KRI in D
EDR coverage across the fleet – Is KRI in D
Time to patch critical issues on monthly basis – Is KRI in D
KRI:
Compliance with regulations – Is KPI in D
% of suppliers with approved security control frameworks – Is KPI in D
Severity of threats and vulnerabilities reported by sensors – Is KPI in D
Threat landscape rating – Is KPI in D
this question is written wrong on this page, D has KPI/KRI together…..
It is C.
KRI:
EDR coverage across the fleet
% of suppliers with approved security control framework
Backlog of unresolved security investigations
Threat landscape rating
KPI:
Time to resolve open security items
Compliance with regulations
Time to patch critical issues on a monthly basis
Severity of threats and vulnerabilities reported by sensors
KRI: Key Risk Indicators. What is your current posture and how bad can thing go. IE: MTBF and MTTR. Patches missing, etc
KPI: Key Performance Indicators. Incidence Response Time, number of missing devices, passwords cracked, etc. Specifically, “most effective … when they are presented GRAPHICALLY”. How well are things going now
With the above in mind, we are looking for KPI given the question. Take note of the formatting issue, all answers contain both KPI and KRI. Also, option D is incorrectly entered. It should read:
KRI:
Compliance with regulations
% of suppliers with approved security control frameworks
Severity of threats and vulnerabilities reported by sensors
Threat landscape rating
KPI:
Time to resolve open security items
Backlog of unresolved security investigations
EDR coverage across the fleet
Time to patch critical issues on a monthly basis
In all, we are given 8 distinct metrics as follows and one needs to determine which they fall under; KRI or KPI:
Compliance with regulations – KRI
Backlog of unresolved security investigations – KPI
Severity of threats and vulnerabilities reported by sensors – KRI
Time to patch critical issues on a monthly basis – KPI
Time to resolve open security items – KPI
% of suppliers with approved security control frameworks – KRI
EDR coverage across the fleet – KPI
Threat landscape rating – KRI
With that in mind, D is indeed the correct answer.
A doesn’t work because a backlog of unresolved security investigations is a quantifiable metric used towards evaluating the success of processes towards performance goals. Additionally, Time to patch is very much a KPI.
B is incorrect, once again Time to patch will be a KPI and % of suppliers… is a KRI
C is incorrect, Compliance with regulation is KRI.
Thus D is perfect for this.
Additional note, KRI measures the amount of risk an activity brings to an organization, hence, it doesn’t measure past performance it measures the risk factors of what can lead to KPIs in the future.
D