Assess the security controls employed within and inherited by the system in accordance with an organization-defined monitoring strategy.