The correct answer is A because the most important benefit of adding monitoring to log aggregation services is to enable the identification of active incidents . Log aggregation by itself centralizes logs, but adding monitoring makes those logs operationally useful for detecting suspicious events, identifying ongoing attacks, and triggering timely response.

The other options are less important as the primary benefit:

B. adherence to compliance requirements is an important secondary benefit, but not the main operational advantage of monitoring.

C. preservation of log data for digital forensic investigations is mainly associated with retention and integrity of logs, not monitoring itself.

D. reporting of evidence to law enforcement agencies is a possible later use, but not the main benefit of adding monitoring.

Exact Extracts supporting the answer:

“The main purpose of continuous monitoring is detecting changes to the enterprise’s risk environment.”

“The most reliable assessment results for the performance of a critical application server are obtained from continuous monitoring which tracks key performance metrics.”

“When monitoring flags a security exception the most appropriate action is validating the exception.”

“The risk professional ' s role is assisting in planning reporting and scheduling tests of IS controls.”

“The greatest risk related to the review of log files is that unauthorized system actions are not identified.”

These extracts show that the main value of monitoring added to log aggregation is timely detection of suspicious or unauthorized activity, which supports identification of active incidents .

===========

QUESTION NO: 88 [Governance]

An organization has implemented a new operating system on all desktops and laptops that enables only necessary services to minimize business risk. Which of the following documents would address this implementation?

A. Policy

B. Procedure

C. Standard

D. Guideline

Answer: C

The correct answer is C because a standard defines the mandatory technical requirements and approved baseline settings that systems must follow. Enabling only necessary services across desktops and laptops is a specific, enforceable configuration requirement, which is characteristic of a standard rather than a high-level policy, step-by-step procedure, or optional guideline.

The other options are less appropriate:

A. Policy sets overall direction and intent, but not the specific technical baseline.

B. Procedure explains how to perform a task, not the required state of the system.

D. Guideline is advisory, not mandatory.

Exact Extracts supporting the answer:

“When many corporate IT standards are outdated the best course of action is to review the standards against current requirements and determine their adequacy.”

“The control practice related to information systems architecture that includes establishing and maintaining baselines for internally developed systems is Configuration management.”

“The MOST appropriate metric to measure how well the information security function is managing the administration of user access is percent of accounts with configurations in compliance.”

“The BEST way to identify IS control deficiencies is through defined control objectives.”

These extracts support that technical baseline requirements are established and enforced through standards .

===========

QUESTION NO: 89 [Risk and Control Monitoring and Reporting]

Which of the following would be MOST helpful in developing a corrective action plan in response to a risk finding?

A. Gap analysis

B. Root cause analysis

C. Business impact analysis (BIA)

D. Threat analysis

Answer: B

The correct answer is B because root cause analysis is the most helpful input for developing a corrective action plan . A corrective action plan should address the underlying cause of the risk finding, not just its symptoms. Root cause analysis helps determine why the issue occurred so the remediation can be targeted and effective.

The other options are less appropriate:

A. Gap analysis helps identify differences between current and desired states, but it does not explain why the issue exists.

C. Business impact analysis (BIA) focuses on business disruption and criticality, not the cause of the finding.

D. Threat analysis helps understand threat sources and scenarios, but not necessarily the underlying control or process breakdown that needs correction.

Exact Extracts supporting the answer:

“After a security incident the first step toward yielding an actionable plan that effectively mitigates the risk is root cause analysis.”

“To determine the factors responsible for a loss event a risk professional should use cause-and-effect analysis.”

“Reviewing risk and control analysis results is done to assess gaps between current and desired states of the IT risk environment.”

“The BEST way to ensure appropriate mitigation occurs on identified information systems vulnerabilities is by assigning action plans with deadlines to responsible personnel.”

These extracts support that effective corrective action begins with understanding the underlying cause. Therefore, root cause analysis is the most helpful input for developing the corrective action plan.