In order to maintain oversight of a third party service provider, the company is going to implement a Governance, Risk, and Compliance (GRC) system. This
system is promising to provide overall security posture coverage. Which of the following is the MOST important activity that should be considered?
A.
Continuous security monitoring
B.
Baseline configuration and host hardening
C.
Service Level Agreement (SLA) monitoring
D.
Security alerting and trending
Explanation:
The company is investing in a Governance, Risk, and Compliance (GRC) system to provide overall security posture coverage. This is great for testing the security
posture. However, to be effective and ensure the company always has a good security posture, you need to monitor the security continuously.
Once a baseline security configuration is documented, it is critical to monitor it to see that this baseline is maintained or exceeded. A popular phrase among
personal trainers is “that which gets measured gets improved.” Well, in network security, “that which gets monitored gets secure.” Continuous monitoring means
exactly that: ongoing monitoring. This may involve regular measurements of network traffic levels, routine evaluations for regulatory compliance, and checks of
network security device configurations.
Incorrect Answers:
B: Baseline configuration and host hardening should be performed initially or when new computer systems are implemented. However, after that has been done,
you should continue to monitor the security of the system. Therefore, this answer is incorrect.
C: Service Level Agreement (SLA) monitoring is performed to ensure that the availability of the system meets SLA’s agreed with your customers. It does not affect
or ensure the security of the system. Therefore, this answer is incorrect.
D: Security alerting and trending is important. However, this can only happen with continuous security monitoring. Therefore, this answer is incorrect.Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, p 61