Help is available for effective continuous monitoring
Fully continuous monitoring of the security status of information systems is an ideal that is unlikely to be reached because of the complexity of round-the-clock, real-time scanning of every aspect of a system. Both industry and government are moving toward making it more practical, however.
The Homeland Security Department, the lead agency for protecting civilian government systems, is focusing on a set of high priority security controls for agencies reporting through its Cyberscope program, and vendors are producing tools to automate the job of scanning systems and reporting results.
To help agencies get started, the National Institute of Standards and Technology is publishing guidance on continuous monitoring.
NIST’s newly released Special Publication 800-137, Information Security Continuous Monitoring for Federal Information Systems and Organizations , released in 2011, gives guidelines for developing and implementing a continuous monitoring strategy and program. It defines continuous monitoring as “maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.” This helps ensure that the security controls being used on IT systems are effective and appropriate for the organization’s level of risk tolerance.
Data is collected and analyzed regularly and as often as needed to manage risk. Continuous monitoring is most effective when automated tools are employed for data collection and reporting. NIST encourages the use of automation, but recognizes that many aspects of monitoring programs are not easily automated.
More recently, NIST has released two draft reports offering technical specifications for continuous security monitoring of IT systems, as well as guidance for applying the workflows in asset, configuration and vulnerability management. Both reports, released in January 2012, are in draft form.
Interagency Report 7799, Continuous Monitoring Reference Model, Workflow, and Specifications, provides the technical specifications for enabling continuous monitoring across any data domain being monitored. This enables product instrumentation and development, along with product testing, validation, procurement and interoperability. It focuses on workflows and on the interfaces that provide communications paths between subsystems.
The second report, IR 7800, Applying the Continuous Monitoring Technical Reference Model to the Asset, Configuration, and Vulnerability Management Domains, binds the resulting workflows for managing specific domains.