nerdexam
(ISC)2

CISSP · Question #5

A continuous information security-monitoring program can BEST reduce risk through which of the following?

The correct answer is C. Encompassing people, process, and technology. A continuous information security-monitoring program is most effective at reducing risk when it holistically encompasses people, process, and technology rather than focusing on a single technical capability.

Submitted by thandi_sa· Mar 5, 2026Governance, Risk, and Compliance

Question

A continuous information security-monitoring program can BEST reduce risk through which of the following?

Options

  • ACollecting security events and correlating them to identify anomalies
  • BFacilitating system-wide visibility into the activities of critical user accounts
  • CEncompassing people, process, and technology
  • DLogging both scheduled and unscheduled system changes

How the community answered

(21 responses)
  • A
    14% (3)
  • B
    5% (1)
  • C
    76% (16)
  • D
    5% (1)

Why each option

A continuous information security-monitoring program is most effective at reducing risk when it holistically encompasses people, process, and technology rather than focusing on a single technical capability.

ACollecting security events and correlating them to identify anomalies

Collecting and correlating security events to identify anomalies is a valuable technical capability (e.g., SIEM functionality), but it represents only the technology component of a monitoring program and does not address people or process gaps that also contribute to risk.

BFacilitating system-wide visibility into the activities of critical user accounts

Providing visibility into critical user account activities addresses insider threat and privileged access monitoring, but this is a narrow, targeted use case rather than a program-wide risk reduction strategy.

CEncompassing people, process, and technologyCorrect

A comprehensive continuous monitoring program reduces risk most broadly by integrating all three pillars: people (trained analysts and stakeholders), process (defined workflows, policies, and response procedures), and technology (tools and automation). Addressing only one dimension leaves gaps; for example, having great tools but poor processes or untrained staff still results in unmitigated risk. This holistic approach aligns with frameworks such as NIST SP 800-137, which defines continuous monitoring as encompassing organizational strategy, processes, and technical controls together.

DLogging both scheduled and unscheduled system changes

Logging scheduled and unscheduled system changes supports change management and audit trails, but it is a single detective control and does not encompass the full scope of risk reduction that a comprehensive monitoring program provides.

Concept tested: Continuous security monitoring program holistic risk reduction

Source: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-137.pdf

Topics

#continuous monitoring#risk reduction#security program#people, process, technology

Community Discussion

No community discussion yet for this question.

Full CISSP Practice