By William Jackson
Continuous monitoring is a crucial element in the Risk Management Framework developed by the National Institute of Standards and Technology, and new guidance now is available for continuous monitoring programs.
“In today’s environment, where many, if not all, of an organization’s mission-critical functions are dependent upon information technology, the ability to manage this technology and to assure confidentiality, integrity and availability of information is now also mission-critical,” according to the guidelines.
NIST’s newly released Special Publication 800-137, “Information Security Continuous Monitoring for Federal Information Systems and Organizations” defines continuous monitoring as “maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.” This helps ensure that the security controls being used on IT systems are effective and appropriate for the organization’s level of risk tolerance.
The monitoring process applies to all levels of an organization, but begins at the top, the document states. “Any effort or process intended to support ongoing monitoring of information security across an organization begins with leadership defining a comprehensive strategy encompassing technology, processes, procedures, operating environments and people.”
Requirements for continuous monitoring are relatively new, having grown from requirements for periodic review of IT system security status. The Federal Information Security Management Act of 2002 requires assessments of security controls at a frequency appropriate to each system’s risk level, at least annually. Recent guidance from the Office of Management and Budget on FISMA reporting emphasizes monitoring on an ongoing basis rather than periodic assessments. In recent years, effective tools for automating security monitoring have emerged to assist in the effort.
SP 800-137 gives guidelines for developing and implementing a continuous monitoring strategy and program. The ongoing visibility into assets, threats and vulnerabilities provided by the program is essential to maintaining the ability to respond to risks in dynamic IT systems and changing threat environments. Tools and methods used to gather data include sampling, use of common protocols, and reference architectures.
Agency-specific metrics are used to determine security status. Gathering data and applying metrics requires:
?Maintaining an understanding of threats and threat activities.
?Assessing all security controls.
?Collecting, correlating and analyzing security-related information.
?Providing actionable communication of security status across all tiers of the organization.
?Active management of risk by organizational officials.
Data is collected and analyzed regularly and as often as needed to manage risk appropriately at each organizational tier. The tiered approach described in the publication mirrors that described in other NIST security guidelines, in which Tier 1 is the organization, Tier 2 is the mission or business process, and Tier 3 is the information system. Tier-specific policies, procedures and responsibilities are included for each level.
Continuous monitoring is most effective when automated tools are employed for data collection and reporting. The output of these tools should be formatted to provide information that is specific, measurable, actionable, relevant and timely. The document encourages the use of automation, but recognizes that many aspects of monitoring programs are not easily automated.
Automation is used where possible in the recommendations, and manual or procedural monitoring methodologies are called for elsewhere.
The guidelines recognize that information security is a dynamic process that must be proactively managed. “The program will evolve over time as the program matures in general, additional tools and resources become available, measurement and automation capabilities mature, and changes are implemented to ensure continuous improvement in the organizational security posture and in the organization’s security program,” the document states.