In which of the following programs is it MOST important to include the collection of security process data?
Answer : B
Security continuous monitoring is the program in which it is most important to include the collection of security process data. Security process data is the data that reflects the performance, effectiveness, and compliance of the security processes, such as the security policies, standards, procedures, and guidelines. Security process data can include metrics, indicators, logs, reports, and assessments. Security process data can provide several benefits, such as:
Improving the security and risk management of the system by providing the visibility and awareness of the security posture, vulnerabilities, and threats
Enhancing the security and decision making of the system by providing the evidence and information for the security analysis, evaluation, and reporting
Increasing the security and improvement of the system by providing the feedback and input for the security response, remediation, and optimization
Security continuous monitoring is the program in which it is most important to include the collection of security process data, because it is the program that involves maintaining the ongoing awareness of the security status, events, and activities of the system. Security continuous monitoring can enable the system to detect and respond to any security issues or incidents in a timely and effective manner, and to adjust and improve the security controls and processes accordingly. Security continuous monitoring can also help the system to comply with the security requirements and standards from the internal or external authorities or frameworks.
The other options are not the programs in which it is most important to include the collection of security process data, but rather programs that have other objectives or scopes. Quarterly access reviews are programs that involve reviewing and verifying the user accounts and access rights on a quarterly basis. Quarterly access reviews can ensure that the user accounts and access rights are valid, authorized, and up to date, and that any inactive, expired, or unauthorized accounts or rights are removed or revoked. However, quarterly access reviews are not the programs in which it is most important to include the collection of security process data, because they are not focused on the security status, events, and activities of the system, but rather on the user accounts and access rights. Business continuity testing is a program that involves testing and validating the business continuity plan (BCP) and the disaster recovery plan (DRP) of the system. Business continuity testing can ensure that the system can continue or resume its critical functions and operations in case of a disruption or disaster, and that the system can meet the recovery objectives and requirements. However, business continuity testing is not the program in which it is most important to include the collection of security process data, because it is not focused on the security status, events, and activities of the system, but rather on the continuity and recovery of the system. Annual security training is a program that involves providing and updating the security knowledge and skills of the system users and staff on an annual basis. Annual security training can increase the security awareness and competence of the system users and staff, and reduce the human errors or risks that might compromise the system security. However, annual security training is not the program in which it is most important to include the collection of security process data, because it is not focused on the security status, events, and activities of the system, but rather on the security education and training of the system users and staff.
Which of the following controls is the most for a system identified as critical in terms of data and function to the organization?
Answer : A
Preventive controls are the most suitable for a system identified as critical in terms of data and function to the organization, because they aim to prevent or deter threats from compromising the system's confidentiality, integrity, and availability. Examples of preventive controls include encryption, authentication, access control, firewalls, antivirus software, and backup systems. Monitoring, cost, and compensating controls are not as effective as preventive controls for protecting critical systems, because they either detect, measure, or mitigate the impact of threats after they have occurred, rather than preventing them in the first place. Reference: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1: Security and Risk Management, page 22. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 1: Security and Risk Management, page 35.
The BEST way to check for good security programming practices, as well as auditing for possible backdoors, is to conduct