In: Computer Science
What is the PRIMARY goal of an Information Security Continuous Monitoring (ISCM) strategy?
The primary goal of an ISCM strategy is :
Answer : C. Support organization risk management decisions.
The PRIMARY goal of an Information Security Continuous
Monitoring (ISCM) strategy is:
C. Support organization risk management decisions.
Per the National Institute of Standards and Technology
(NIST), ISCM meant for Federal
Information Systems and Organizations is defined as, its purpose,
vision, and goal are to maintain ongoing information security,
vulnerabilities, and threats awareness, supporting organizational
risk management decisions.
Federal government use and work based on Risk Management Framework (RMF) which is a unified information security framework. This RMF is developed by NIST, is meant and used as a disciplined and structured process to integrate information security and risk management activities into the system development life cycle. While ISCM plays an important and critical role in this RMF process. Hence, as a basic component or pillar of ISCM strategy is to focus on monitoring and support risk management decisions amongst multiple mission operations areas related, affected, influenced by the cyberspace domain.
ISCM strategy provides an approach to compliance and risk management. The strategy identifies a system (Security) risks in a company or an organization, and laters lets that risk to be changed dynamically depending on the threat need.
It is not option (A) Create expedited assessment process
for cost savings- as it has nothing to do with business
costs, as the name ISCM suggests, it has to do with security,
risks, threats, mitigation, monitoring, protection, and
prevention.
It is not option (B) Maintain visibility of an
organization’s high-cost controls either, as again, it has
nothing to do with organization's business costs, as the name ISCM
suggests, it has to do with security, risks, threats, mitigation,
monitoring, protection, and prevention.
It is not option (D) Assess the organizational
tiers- it has nothing to with the core business or the
organization's structure, tiers, or hierarchy, as it is completely
into Information Security.