The continuous monitoring capability feeds into the security state analysis through inputs from the continuous monitoring items from both IT security and IT operations. The desired end state of this capability is the solid interaction between the two organizations to monitor items that may impact each other and provide inputs for an overall security analysis. The items that are monitored should be prioritized by PIRs that have been agreed by both organizations and these may turn into policies followed by the procedures to monitor.

The preceding illustration describes the encompassing concept, but the continuous monitoring capability consists of the multiple interactions between teams within each organization and then the interaction between themselves.

To better explain this concept, I'll use several scenarios and apply a Capability Maturity Model to the item to be monitored. The only assumption for consideration here is that strategic policies and procedures have been defined and tactical procedures must be developed.