Question

What is the PRIMARY goal of an Information Security Continuous Monitoring (ISCM) strategy?

1. Create expedited assessment process for cost savings.
2. Maintain visibility of an organization’s high-cost controls.
3. Support organization risk management decisions.
4. Assess the organizational tiers.

Answer 1

The primary goal of an ISCM strategy is :

Answer : C. Support organization risk management decisions.

Answer 2

The PRIMARY goal of an Information Security Continuous Monitoring (ISCM) strategy is:
C. Support organization risk management decisions.
Per the National Institute of Standards and Technology (NIST), ISCM meant for Federal Information Systems and Organizations is defined as, its purpose, vision, and goal are to maintain ongoing information security, vulnerabilities, and threats awareness, supporting organizational risk management decisions.

Federal government use and work based on Risk Management Framework (RMF) which is a unified information security framework. This RMF is developed by NIST, is meant and used as a disciplined and structured process to integrate information security and risk management activities into the system development life cycle. While ISCM plays an important and critical role in this RMF process. Hence, as a basic component or pillar of ISCM strategy is to focus on monitoring and support risk management decisions amongst multiple mission operations areas related, affected, influenced by the cyberspace domain.

ISCM strategy provides an approach to compliance and risk management. The strategy identifies a system (Security) risks in a company or an organization, and laters lets that risk to be changed dynamically depending on the threat need.

It is not option (A) Create expedited assessment process for cost savings- as it has nothing to do with business costs, as the name ISCM suggests, it has to do with security, risks, threats, mitigation, monitoring, protection, and prevention.
It is not option (B) Maintain visibility of an organization’s high-cost controls either, as again, it has nothing to do with organization's business costs, as the name ISCM suggests, it has to do with security, risks, threats, mitigation, monitoring, protection, and prevention.
It is not option (D) Assess the organizational tiers- it has nothing to with the core business or the organization's structure, tiers, or hierarchy, as it is completely into Information Security.