(ISC)2(ISC)2
CGRC · Question #313
CGRC Question #313: Real Exam Question with Answer & Explanation
The correct answer is B: After the initial system security authorization. Continuous monitoring of security controls is an ongoing process that primarily occurs after a system has received its initial security authorization to ensure its continued compliance and risk posture.
Compliance Maintenance
Question
When does monitoring security controls take place? Response:
Options
- ABefore the initial system certification
- BAfter the initial system security authorization
- CBefore and after the initial system security accreditation
- DDuring the system design phase
Explanation
Continuous monitoring of security controls is an ongoing process that primarily occurs after a system has received its initial security authorization to ensure its continued compliance and risk posture.
Common mistakes.
- A. Before initial system certification, controls are assessed for effectiveness, but continuous monitoring is typically a post-certification or post-authorization activity.
- C. While assessment happens before accreditation, ongoing monitoring is primarily an activity that occurs after the initial security accreditation to ensure continued effectiveness, making 'before and after' misleading for continuous monitoring.
- D. During the system design phase, security requirements are defined and controls are designed, but the actual monitoring of implemented controls occurs in later lifecycle phases.
Concept tested. Timing of security control monitoring
Reference. https://csrc.nist.gov/glossary/term/continuous-monitoring
Topics
#Continuous Monitoring#System Authorization#Security Control Lifecycle#Risk Management Framework
Community Discussion
No community discussion yet for this question.