CISSP · Question #1422
Which of the following is established to collect information Se eee ee ee nation readily available in part through implemented security controls?
The correct answer is C. Information Security Continuous Monitoring (ISCM). Information Security Continuous Monitoring (ISCM) is a program established to maintain ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions, leveraging data made available through implemented security controls
Question
Options
- ASecurity Assessment Report (SAR)
- BOrganizational risk tolerance
- CInformation Security Continuous Monitoring (ISCM)
- DRisk assessment report
How the community answered
(32 responses)- A3% (1)
- C94% (30)
- D3% (1)
Why each option
Information Security Continuous Monitoring (ISCM) is a program established to maintain ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions, leveraging data made available through implemented security controls.
A Security Assessment Report (SAR) is a point-in-time document produced after a formal security assessment, not an ongoing program established to continuously collect security information from implemented controls.
Organizational risk tolerance is a defined threshold or policy position indicating how much risk an organization is willing to accept, not a collection mechanism or monitoring program.
ISCM is specifically defined as a program that collects security-related information on an ongoing basis, with much of that information made readily available through already-implemented security controls and automated tools. Per NIST SP 800-137, ISCM provides situational awareness of the security posture of an organization by continuously gathering metrics, status, and alerts from security controls already in place, enabling timely risk management decisions.
A risk assessment report documents the results of a risk assessment process at a specific point in time, rather than being an ongoing monitoring program that continuously gathers information from implemented security controls.
Concept tested: Information Security Continuous Monitoring (ISCM) program purpose
Source: https://csrc.nist.gov/publications/detail/sp/800-137/final
Topics
Community Discussion
No community discussion yet for this question.