Certified Information Systems Security Professional (CISSP) — Question 342

What is the FIRST step when developing an Information Security Continuous Monitoring (ISCM) program?

Answer options

• A. Collect the security-related information required for metrics, assessments, and reporting.
• B. Establish an ISCM program determining metrics, status monitoring frequencies, and control assessment frequencies.
• C. Define an ISCM strategy based on risk tolerance.
• D. Establish an ISCM technical architecture.

Correct answer: C

Explanation

The first step in developing an ISCM program is to define an ISCM strategy based on risk tolerance, as it sets the foundation for the program's objectives and priorities. The other options, while essential components of the program, are subsequent steps that depend on having a clear strategy in place.