During the monitor phase of a security program lifecycle, which activity best demonstrates ongoing monitoring?

Ongoing monitoring means continuously watching how security controls operate and catching deviations as soon as they happen. This approach uses real-time or near-real-time data, automated monitoring, and alerts so you can respond quickly and keep defenses aligned with risk. Choosing to continuously observe security controls' performance and detect deviations best demonstrates that mindset. It embodies constant vigilance, immediate detection of issues, and rapid response, which are the heart of monitoring throughout the program lifecycle. Reviewing and verifying effectiveness against metrics is important, but it often reflects periodic assessment rather than the tireless, real-time surveillance that ongoing monitoring requires. Creating new asset inventories for each quarter is asset management rather than monitoring, and ignoring incident data defeats the whole purpose of learning from events to strengthen defenses.