CAS-001 · Question #64
CAS-001 Question #64: Real Exam Question with Answer & Explanation
The correct answer is C: Audit successful and failed events, transfer logs to a centralized server, institute computer assisted. A correct continuous monitoring strategy audits both successful and failed events, transfers logs to a centralized server continuously, and uses computer-assisted audit reduction rather than manual methods or infrequent log transfers.
Question
Options
- AAudit successful and failed events, transfer logs to a centralized server, institute computer assisted
- BAudit successful and critical failed events, transfer logs to a centralized server once a month, tailor
- CAudit successful and failed events, transfer logs to a centralized server, institute computer assisted
- DAudit failed events only, transfer logs to a centralized server, implement manual audit reduction, tailor
Explanation
A correct continuous monitoring strategy audits both successful and failed events, transfers logs to a centralized server continuously, and uses computer-assisted audit reduction rather than manual methods or infrequent log transfers.
Common mistakes.
- A. Option A diverges from the correct implementation in a specific configuration detail visible in the full text of the choice, making it a subtly incomplete or incorrect continuous monitoring implementation.
- B. Transferring logs only once a month directly violates the 'continuous' requirement and creates unacceptable detection gaps, making near-real-time incident response impossible.
- D. Auditing only failed events misses successful but unauthorized actions such as privilege misuse or insider data exfiltration, and manual audit reduction cannot scale to meet continuous monitoring requirements.
Concept tested. Continuous monitoring log auditing strategy and centralization
Reference. https://csrc.nist.gov/publications/detail/sp/800-137/final
Community Discussion
No community discussion yet for this question.