Chapter 4. Risk Metric Scenarios to Secure the Enterprise

This chapter covers the following topics:

This chapter covers CAS-003 objective 1.4.

Securing an enterprise is very important. Security should be a top priority for any organization, but often it can be difficult to convince senior management to provide the funds for the security endeavors you wish to use. As a security professional, you need to provide justification for any security technologies and controls that you want to implement. In securing the enterprise, security professionals must do the following:

  • Review the effectiveness of existing security controls.

  • Reverse engineer/deconstruct existing solutions.

  • Create, collect, and analyze metrics.

  • Prototype and test multiple solutions.

  • Create benchmarks and compare them to baselines.

  • Analyze and interpret trend data to anticipate cyber defense needs.

  • Analyze security solution metrics and attributes to ensure that they meet business needs.

  • Use judgment to solve problems where the most secure solution is not feasible.

Review Effectiveness of Existing Security Controls

Organizations should periodically review the effectiveness of existing security controls. Security professionals should review all aspects of security, including security training, device configuration (router, firewall, IDS, IPS, and so on), and policies and procedures. They should also perform vulnerability tests and penetration tests. These reviews should be performed at least annually.

A review of the effectiveness of security controls should include answering the following questions:

  • Which security controls are we using?

  • How can these controls be improved?

  • Are these controls necessary?

  • Have any new issues arisen?

  • Which security controls can be deployed to address the new issues?

To aid in the review of existing security controls, security administrators should perform a gap analysis and document the lessons learned in an after-action report.

Gap Analysis

An information security gap analysis compares an organization’s security program to overall best security practices. By comparing these best practices to actual practices, security professionals can determine where vulnerabilities and risks are lurking.

An information security gap analysis includes the following four steps:


Step 1. Select an industry standard framework. Common frameworks that can be used include ISO/IEC 27002:2013 and NIST’s Cybersecurity Framework (CSF), covered in Chapter 3, “Risk Mitigation Strategies and Controls.”

Step 2. Evaluate people and processes. Gather data on the organization’s IT environment, application inventory, organizational charts, policies and processes, and other relevant details.

Step 3. Gather data and technology. This step helps an organization understand how well the current security program operates within the technical architecture. This includes comparing best practice controls or relevant requirements against the organizational controls; sampling network devices, servers, and applications to validate gaps and weaknesses; reviewing automated security controls; and reviewing incident response processes, communications protocols, and log files.

Step 4. Analyze the data gathered. This step involves using the data gathered to perform an in-depth analysis of the organization’s security program and then correlating the findings and results across all factors to create a clear and concise picture of the organization’s IT security profile, including strengths and areas for improvement.

Conducting a gap analysis is a detailed, in-depth process that requires a thorough knowledge of security best practices and extensive knowledge of security risks, controls, and operational issues. Performing a gap analysis does not guarantee 100% security, but it goes a long way toward ensuring that the organization’s network, staff, and security controls are robust, effective, and cost-efficient.

Lessons Learned and After-Action Reports

When any issue arises and is addressed, security professionals are usually focused on resolving the issue, deploying a new security control, or improving an existing security control. But once the initial crisis is over, the lessons-learned/after-action review should be filed. In this report, personnel document the issue details, the cause of the issue, why the issue occurred, possible ways to prevent the issue in the future, and suggestions for improvement in case the issue occurs again. Any person who had a hand in detecting or resolving the issue should be involved in the creation of the review. Reviews should be held as close to the resolution of the issue as possible because details are often forgotten with the passage of time.

When developing the formal review document, it is best to structure the review to follow the incident chronologically. The review should document as many facts as possible about the incident. Keep in mind that lessons-learned/after-action reviews also work well for any major organizational project, including operating system upgrades, new server deployments, firewall upgrades, and so on.

Reverse Engineer/Deconstruct Existing Solutions

The security solutions that an organization deploys are only good until a hacker determines how to break or bypass a control. As a result, it is vital that a security professional think like a hacker and reverse engineer or deconstruct the existing security solutions. As a security professional, you should examine each security solution separately. When you look at each solution, you should determine what the security solution does, which system the security solution is designed to protect, how the solution impacts the enterprise, and what the security solution reveals about itself. Keep in mind that through reverse engineering, you attempt to discover as much about your organization as possible to find a way to break into the enterprise.


Remember that you need to analyze technical and physical controls. Security professionals often fail to think about physical access to the building. But keep in mind that physical security controls are just as important as any other controls. It does not matter how many security controls you implement if an attacker can enter your building and connect a rogue access point or protocol analyzer to the enterprise.

Creation, Collection, and Analysis of Metrics

Metrics should be monitored consistently. In addition, metrics should be analyzed soon after they are collected to see if any adjustments need to be made. Proper metric creation, collection, and analysis will allow an organization to project future needs well before a problem arises.

The chief security officer (CSO) or other designated high-level manager prepares the organization’s security budget, determines the security metrics, and reports on the effectiveness of the security program. This officer must work with subject matter experts (SMEs) to ensure that all security costs are accounted for, including development, testing, implementation, maintenance, personnel, and equipment. The budgeting process requires an examination of all risks and ensures that security projects with the best cost/benefit ratio are implemented. Projects that take longer than 12 to 18 months are long term and strategic and require more resources and funding.

Security metrics provide information on both short- and long-term trends. By collecting these metrics and comparing them on a day-to-day basis, a security professional can determine the daily workload. When the metrics are compared over a longer period of time, the trends that occur can help shape future security projects and budgets. Procedures should state who will collect the metrics, which metrics will be collected, when the metrics will be collected, and what thresholds will trigger corrective actions. Security professionals should consult with the information security governance frameworks, particularly ISO/IEC 27004 and NIST 800-55, for help in establishing metrics guidelines and procedures.

But metrics are not just used in a live environment. You can also implement a virtual environment to simulate the live environment to test the effects of security controls through simulated data. Then you can use the simulated data to determine whether to implement the security controls in the live environment.

For example, say that a security administrator is trying to develop a body of knowledge to enable heuristic- and behavior-based security event monitoring of activities on a global network. Instrumentation is chosen to allow for monitoring and measuring of the network. The best methodology to use in establishing this baseline is to model the network in a series of virtual machines (VMs), implement the systems to record comprehensive metrics, run a large volume of simulated data through the model, record and analyze results, and document expected future behavior. Using this comprehensive method, the security administrator would be able to determine how the new monitoring would perform.

Although the security team should analyze metrics daily, periodic analysis of the metrics by a third party can ensure the integrity and effectiveness of the security metrics by verifying the internal team’s results. The organization should then use data from the third party to improve the security program and security metrics process.

Key performance indicators (KPIs) and key risk indicators (KRIs) are the two types of metrics that are created, collected, and analyzed. The Information Security Forum (ISF) recommends the following 14-step approach to KPIs and KRIs to support informed decision making:

Step 1. Understand the business context.

Step 2. Identify audiences and collaborators.

Step 3. Determine common interests.

Step 4. Identify the key information security priorities.

Step 5. Design KPI/KRI combinations.

Step 6. Test and confirm KPI/KRI combinations.

Step 7. Gather data.

Step 8. Produce and calibrate KPI/KRI combinations.

Step 9. Interpret KPI/KRI combinations to develop insights.

Step 10. Agree to conclusions, proposals, and recommendations.

Step 11. Produce reports and presentations.

Step 12. Prepare to present and distribute reports.

Step 13. Present and agree on next steps.

Step 14. Develop learning and improvement plans.

Based on this approach, security professionals must guide their organization into monitoring KPIs and KRIs. A performance indicator is a metric that informs how your business is doing. It tells you what to do and what action to take. Metrics are derived from measures, which are observed values at a point in time. Whereas measures are raw numbers and data points, metrics are ratios, averages, percentages, or rates derived from the measures.

Understanding the difference between KPIs and KRIs is vital.



KPIs track things that directly relate to specific actions or activities—not the final result. Profit, costs, and number of accounts should not be used as KPIs. They result from many activities, so they do not identify particular actions to take. KPIs that organizations need to capture include:

  • Increase or decrease in reported incidents

  • Number of large and small security incidents

  • Cost per incident

  • Amount of time for incident resolution

  • Downtime during an incident

Let’s look at an example. Suppose an organization’s IT department reported a significant decrease in reported incidents over the past quarter. Some questions that management may need to look into include:

  • Were new security controls put into place during the quarter that possibly caused this significant decrease?

  • Was there an actual decrease in incidents or just failure to discover or report incidents?

  • What are the operational differences (for example, system upgrades, new tools, heavily attacked systems that have been patched, removed, or replaced) between the last quarterly report and this quarterly report?



KRIs are used in management to indicate how risky an activity is or how likely a risk is to occur. Organizations use them as early signals that particular risks may occur. KRIs that organizations need to capture include:

  • Acceleration of high-severity events: Are more severe events showing up on your systems in a shorter amount of time?

  • Handle time: How long does it take you to identify a threat-pattern change and eliminate the cause of that threat?

  • Attack surface area: How many hosts are involved in a security event? How many hosts are included in an attack?

Let’s look at an example. Suppose an organization is worried that its security awareness training is poor. A KRI for this is to examine the pass/fail metrics for the security awareness training. If there is a high failure rate, the organization needs to improve its training procedures—specifically the time spent on training per year and the employee engagement index for the training. Less time spent training and less training provided to employees will directly impact the pass/fail rate for the security awareness training. In this situation, the organization may decide to require more security awareness training for personnel.

Prototype and Test Multiple Solutions

Once a security professional determines that there is a definite problem with a device or technology, that person should select possible solutions to the problem. The solutions may include hardware upgrades, new device or technology purchases, and settings changes. Then the security professional should perform solutions prototyping or testing. Preferably any prototyping or testing should be completed in a lab environment to determine the effect that any deployed solution will have. Prototypes also help ensure that the organization is satisfied with the tested solutions before they are released into production.

Virtualization technologies have provided a great means for prototyping or testing solutions in a simulated “live” environment. Make sure that any testing is performed in isolation, without implementing any of the other solutions, to make sure that the effects of that single solution are fully understood. When you understand the effects of each solution, you can then prototype or test multiple solutions together to determine whether it is better to implement multiple solutions to your enterprise’s problem.

Let’s look at an example. Suppose you discover that a web server is having performance issues. One solution that is considered is deploying a second web server and including both servers in a load-balancing environment. Another solution could be to upgrade the hard drive and memory in the affected server. Of course, an even better solution is to upgrade the original web server, deploy a second web server, and include both servers in a load-balancing environment. However, budget constraints usually prevent the deployment of more than one solution. Testing may reveal that the hardware upgrade to the web server is enough. As the cheaper solution, a hardware upgrade may be the best short-term solution until the budget becomes available to deploy a second web server.

Once you have prototyped or tested the solution in the lab environment and narrowed down the solution choices, you can test the solution in the live environment. Keep in mind that it is usually best to implement such solutions during low-traffic periods. Always perform a full backup on the device that you are updating before performing the updates.

Create Benchmarks and Compare to Baselines


A baseline is a reference point that is defined and captured to be used as a future reference. While capturing baselines is important, using baselines to assess the security state is just as important. Even the most comprehensive baselines are useless if they are never used.


Baselines alone, however, cannot help you if you do not have current benchmarks for comparison. A benchmark, which is a point of reference later used for comparison, captures the same data as a baseline and can even be used as a new baseline should the need arise. A benchmark is compared to the baseline to determine whether any security or performance issues exist. Also, security professionals should keep in mind that monitoring performance and capturing baselines and benchmarks will affect the performance of the systems being monitored.

Capturing both a baseline and a benchmark at the appropriate time is important. Baselines should be captured when a system is properly configured and fully updated. Also, baselines should be assessed over a longer period of time, such as a week or a month rather than just a day or an hour. When updates occur, new baselines should be captured and compared to the previous baselines. At that time, adopting new baselines on the most recent data might be necessary.

Let’s look at an example. Suppose that your company’s security and performance network has a baseline for each day of the week. When the baselines were first captured, you noticed that much more authentication occurs on Thursdays than on any other day of the week. You were concerned about this until you discovered that members of the sales team work remotely on all days but Thursday and rarely log in to the authentication system when they are not working in the office. For their remote work, members of the sales team use their laptops and log in to the VPN only when remotely submitting orders. On Thursday, the entire sales team comes into the office and works on local computers, ensuring that orders are being processed and fulfilled as needed. The spike in authentication traffic on Thursday is fully explained by the sales team’s visit. On the other hand, if you later notice a spike in VPN traffic on Thursdays, you should be concerned because the sales team is working in the office on Thursdays and will not be using the VPN.

For software developers, understanding baselines and benchmarks also involves understanding thresholds, which ensure that security issues do not progress beyond a configured level. If software developers must develop measures to notify system administrators prior to a security incident occurring, the best method is to configure the software to send an alert, alarm, or email message when specific incidents pass the threshold.

Security professionals should capture baselines over different times of day and days of the week to ensure that they can properly recognize when possible issues occur. In addition, security professionals should ensure that they are comparing benchmarks to the appropriate baseline. Comparing a benchmark from a Monday at 9 a.m. to a baseline from a Saturday at 9 a.m. may not allow you to properly assess the situation. Once you identify problem areas, you should develop a possible solution to any issue that you discover.

Analyze and Interpret Trend Data to Anticipate Cyber Defense Needs

An important step in securing an enterprise is analyzing and interpreting trend data to anticipate cyber defense needs. Using the trend data, security professionals should be able to anticipate where and when defenses might need to be increased.

Let’s look at an example. Suppose you notice over time that user accounts are being locked out at an increasing rate. Several of the users report that they are not responsible for locking out their accounts. After reviewing the server and audit logs, you suspect that a hacker has obtained a list of the user account names. In addition, you discover that the attacker is attempting to repeatedly connect from the same IP or MAC address. After analysis is complete, you may want to configure the firewall that protects your network to deny any connections from the attacker’s IP or MAC address. Another possible security step would be to change all usernames. However, changing user account names might have possible repercussions on other services, such as email. As a result, the organization may be willing to overlook the fact that an attacker might possibly know all user account names.

Now let’s look at a more complex example. Suppose that a security administrator has noticed a range of network problems affecting the proxy server. While reviewing the logs, the administrator notices that the firewall is being targeted with various web attacks at the same time that the network problems are occurring. The most effective way to conduct an in-depth problem assessment and remediation would be to deploy a protocol analyzer on the switch span port, adjust the external-facing IPS, reconfigure the firewall ACLs to block unnecessary ports, verify that the proxy server is configured correctly and hardened, and continue to monitor the network.

Documenting any trends is vital to ensuring that an organization deploys the appropriate security controls before any trends become real problems. In addition, documenting these trends can ensure that you anticipate resource needs before they reach a critical stage. For example, if you notice that web server traffic is increasing each month at a certain rate, you can anticipate the upgrade needs before the traffic increases to the point where the server becomes obsolete and cannot handle the client requests.

Analyze Security Solution Metrics and Attributes to Ensure They Meet Business Needs

Security solutions are deployed to protect an organization. When security professionals deploy security solutions, they must identify a specific business need that is being fulfilled by a solution. The primary business needs that you need to understand for the CASP exam are performance, latency, scalability, capability, usability, maintainability, availability, recoverability, and cost/benefit analysis.



Performance is the manner in which or the efficiency with which a device or technology reacts or fulfills its intended purpose. An organization should determine the performance level that should be maintained on each device and on the enterprise as a whole. Any security solutions that are deployed should satisfy the established performance requirements. Performance requirements should take into account the current requirements as well as any future requirements. For example, if an organization needs to deploy an authentication server, the solution that it selects should satisfy the current authentication needs of the enterprise as well as any authentication needs for the next few years. Deploying a solution that provides even better performance than needed will ensure that the solution can be used a bit longer than originally anticipated.



Latency is the delay typically incurred in the processing of network data. A low-latency network connection is one that generally experiences short delay times, while a high-latency connection generally suffers from long delays. Many security solutions may negatively affect latency. For example, routers take a certain amount of time to process and forward any communication. Configuring additional rules on a router generally increases latency, thereby resulting in longer delays. An organization may decide not to deploy certain security solutions because of the negative effects they will have in terms of network latency.

Auditing is a great example of a security solution that affects latency and performance. When auditing is configured, it records certain actions as they occur. The recording of these actions may affect the latency and performance.



Scalability is a characteristic of a device or security solution that describes its capability to cope and perform under an increased or expanding workload. Scalability is generally defined by time factors. Accessing current and future needs is important in determining scalability. Scalability can also refer to a system’s ability to grow as needs grow. A scalable system can be expanded, load balanced, or clustered to increase performance.

Let’s look at an example. Suppose an organization needs to deploy a new web server. A systems administrator locates an older system that can be reconfigured to be deployed as the new web server. After assessing the needs of the organization, it is determined that the web server will serve the current needs of the organization. However, it will not be able to serve the anticipated needs in six months. Upgrading the server to increase scalability may be an option if the costs for the upgrade are not too high. The upgrade costs and new scalability value should be compared to the cost and scalability of a brand-new system.



The capability of a solution is the action that the solution is able to perform. For example, an intrusion detection system (IDS) detects intrusions, whereas an intrusion prevention system (IPS) prevents intrusions. The method by which a solution goes about performing its duties should be understood, as should any solution capabilities that the organization does not need. Often security solutions provide additional capabilities at an increased price.



Usability means making a security solution or device easier to use and matching the solution or device more closely to organizational needs and requirements. Ensuring that organizational staff can deploy and maintain a new security solution is vital. Any staff training costs must be added to the costs of the solution itself when determining return on investment (ROI) and total cost of ownership (TCO). Even the best of security solutions may be removed as possibilities because of their usability.



Maintainability is how often a security solution or device must be updated and how long the updates take. This includes installing patches, cleaning out logs, and upgrading the applications. When considering maintainability, an organization should ensure that it understands how much maintenance is required, how long the maintenance takes, and how often maintenance usually occurs. Maintenance considerations should also include any future anticipated updates.



Availability is the amount or percentage of time a computer system is available for use. When determining availability, the following terms are often used: maximum tolerable downtime (MTD), mean time to repair (MTTR), and mean time between failures (MTBF). These terms are defined in Chapter 3.

For the CASP exam, you need to be able to recognize when new devices or technologies are being implemented to increase data availability. Let’s look at an example. Suppose a small company is hosting multiple virtualized client servers on a single host. The company is considering adding a new host to create a cluster. The new host hardware and operating system will be different from those of the first host, but the underlying virtualization technology will be compatible. Both hosts will be connected to a shared iSCSI storage solution. The iSCSI storage solution will increase customer data availability.

Availability is best determined by looking at the component within the security solution that is most likely to fail. Knowing how long a solution can be down, how long it will take to repair, and the amount of time between failures are all important components in determining availability.



Recoverability is the probability that a failed security solution or device can be restored to its normal operable state within a given time frame, using the prescribed practices and procedures. When determining recoverability, the following terms are often used: recovery time objective (RTO), work recovery time (WRT), and recovery point objective (RPO). These terms are defined in Chapter 3.

Recoverability is best determined by researching the actions that will need to be taken if a partial or full recovery of the security solution or device is required. Knowing how long the recovery will take is an important component when choosing between different security solutions or devices.

Cost/Benefit Analysis

A cost/benefit analysis is performed before deploying any security solutions to the enterprise. This type of analysis compares the costs of deploying a particular solution to the benefits that will be gained from its deployment. For the most part, an enterprise should deploy a solution only if the benefits of deploying the solution outweigh the costs of the deployment.

For the CASP exam, you need to understand ROI and TCO, which are discussed in the next sections.


Return on investment (ROI) refers to the money gained or lost after an organization makes an investment. ROI is a necessary metric for evaluating security investments.

For more information on ROI, refer to Chapter 3.


Total cost of ownership (TCO) measures the overall costs associated with securing the organization, including insurance premiums, finance costs, administrative costs, and any losses incurred. This value should be compared to the overall company revenues and asset base.

For more information on TCO, refer to Chapter 3.

Use Judgment to Solve Problems Where the Most Secure Solution Is Not Feasible

As a security professional, you will often be asked your opinion. In such cases, there is often really no true right or wrong answer, and you will have to use your judgment to solve difficult problems where the most secure solution is not feasible or that do not have a best solution. When this occurs, the best thing you can do is to do research. Use all the tools available to you to learn about the problem, including accessing vendor websites, polling your peers, and obtaining comparison reports from third parties.

Understanding the reason the most secure solution is not feasible will often help guide you to selecting another solution. The most secure solution may not be feasible due to cost, time line, or scope constraints. No matter the constraint, security professionals must help come up with solutions to mitigate the issue.

As you progress in your experience and knowledge, you will be better able to make these judgments based on this experience and knowledge while still relying on some research. Information is the key to making good decisions. Ask questions and get answers. Then weigh each of your answers to analyze any solutions you have researched. Ultimately, you will have to make a decision and live with it. But making an educated decision is always the best solution!

Exam Preparation Tasks

As mentioned in the section “How to Use This Book” in the Introduction, you have a couple choices for exam preparation: the exercises here and the practice exams in the Pearson IT Certification test engine.

Review All Key Topics

Review the most important topics in this chapter, noted with the Key Topics icon in the outer margin of the page. Table 4-1 lists these key topics and the page number on which each is found.


Table 4-1 Key Topics for Chapter 4

Key Topic Element


Page Number


Security control effectiveness



Gap analysis steps















Performance attribute



Latency attribute



Scalability attribute



Capability attribute



Usability attribute



Maintainability attribute



Availability attribute



Recoverability attribute








Define Key Terms

Define the following key terms from this chapter and check your answers in the glossary:




cost/benefit analysis

gap analysis

key performance indicator (KPI)

key risk indicator (KRI)





return on investment (ROI)


total cost of ownership (TCO)



Review Questions

1. Your organization is in the process of upgrading the hardware in several servers. You need to ensure that you have captured the appropriate metrics. Which steps should you take?

  • Capture benchmarks for all the upgraded servers. Compare these benchmarks to the old baselines. Replace the old baselines using the new benchmarks for any values that have changed.

  • Capture baselines for all the upgraded servers. Compare these baselines to the old benchmarks. Replace the old benchmarks using the new baselines for any values that have changed.

  • Capture benchmarks for all the upgraded servers. Compare these benchmarks to the old thresholds. Replace the old thresholds using the new benchmarks for any values that have changed.

  • Capture baselines for all the upgraded servers. Compare these baselines to the old thresholds. Replace the old thresholds using the new baselines for any values that have changed.

2. After analyzing a successful attack against several of your organization’s servers, you come up with five possible solutions that could prevent the type of attack that occurred. You need to implement the solution that will provide the best protection against this attack while minimizing the impact on the servers’ performance. You decide to test the solutions in your organization’s virtual lab. What should you do?

  • Implement all five solutions in the virtual lab and collect metrics on the servers’ performance. Run a simulation for the attack in the virtual lab. Choose which solutions to implement based on the metrics collected.

  • Implement the solutions one at a time in the virtual lab. Run a simulation for the attack in the virtual lab. Collect metrics on the servers’ performance. Roll back each solution and implement the next solution, repeating the process for each solution. Choose which solutions to implement based on the metrics collected.

  • Implement all five solutions in the virtual lab. Run a simulation for the attack in the virtual lab. Collect metrics on the servers’ performance. Choose which solutions to implement based on the metrics collected.

  • Implement each solution one at a time in the virtual lab and collect metrics on the servers’ performance. Run a simulation for the attack in the virtual lab. Roll back each solution and implement the next solution, repeating the process for each solution. Choose which solutions to implement based on the metrics collected.

3. Your organization wants to deploy a new security control on its network. However, management has requested that you provide information on whether the security control will add value to the organization after its deployment. What should you do to provide this information to management?

  • Deploy the security control and collect the appropriate metrics for reporting to management.

  • Deploy the security control and create baselines for reporting to management.

  • Perform a cost/benefit analysis for the new security control.

  • Prototype the new solution in a lab environment and provide the prototype results to management.

4. Your organization has established a new security metrics policy to be more proactive in its security measures. As part of the policy, you have been tasked with collecting and comparing metrics on a day-to-day basis. Which of the following are you performing?

  • thresholds

  • trends

  • baselines

  • daily workloads

5. Your organization has recently hired a new chief security officer (CSO). One of his first efforts is to implement a network trends collection policy. Which statement best defines the purpose of this policy?

  • to anticipate where and when defenses might need to be changed

  • to determine the security thresholds

  • to determine the benefits of implementing security controls

  • to test security controls that you want to deploy

6. You are the security analyst for your enterprise. You have been asked to analyze the efficiency of the security controls implemented on the enterprise. Which attribute will you be analyzing?

  • latency

  • performance

  • scalability

  • capability

7. You are the security analyst for your enterprise. You have been asked to make several security controls easier to implement and manage. Which attribute will you be addressing?

  • maintainability

  • availability

  • usability

  • recoverability

8. After a recent attack, senior management at your organization asked for a thorough analysis of the attack. Security professionals provided the results of the analysis to senior management, and then requests were made to the IT department on several new security controls that should be deployed. One of the controls was deployed, and now the network is experiencing higher latency. What should you do?

  • Do nothing. High latency is desirable.

  • Remove the new security control.

  • Edit the security control to increase the latency.

  • Report the issue to senior management to find out if the higher latency value is acceptable.

9. Recently, you created several security benchmarks and compared them to your security baselines. Then you performed a trend analysis and determined that several new security controls needed to be deployed. After testing the new security controls, you decided to implement only two of the proposed controls. Once the security controls were deployed, you analyzed the controls to ensure that the business needs were met. What should you do now?

  • Create a lessons-learned report.

  • Perform a cost/benefit analysis.

  • Determine ROI on the new controls.

  • Determine the TCO on the new controls.

10. As a security analyst for your organization, you have implemented several new security controls. Management requests that you analyze the availability of several devices and provide them with the appropriate metrics. Which metrics should you provide?

  • ROI and TCO

  • MTTR and MTBF

  • WRT and RPO

  • baselines and benchmarks

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.