In order to maintain oversight of a third party service provider, the company is going to implement
a Governance, Risk, and Compliance (GRC) system. This system is promising to provide overall
security posture coverage. Which of the following is the MOST important activity that should be
considered?

A.
Continuous security monitoring

B.
Baseline configuration and host hardening

C.
Service Level Agreement (SLA) monitoring

D.
Security alerting and trending

Explanation:
The company is investing in a Governance, Risk, and Compliance (GRC) system to provide
overall security posture coverage. This is great for testing the security posture. However, to be
effective and ensure the company always has a good security posture, you need to monitor the
security continuously.
Once a baseline security configuration is documented, it is critical to monitor it to see that this
baseline is maintained or exceeded. A popular phrase among personal trainers is “that which gets
measured gets improved.” Well, in network security, “that which gets monitored gets secure.”
Continuous monitoring means exactly that: ongoing monitoring. This may involve regular
measurements of network traffic levels, routine evaluations for regulatory compliance, and checks

of network security device configurations.