Full Program »
TR4: Continuous Assessment
Friday, 7 December 2012
08:30 - 10:00
Information security continuous monitoring (ISCM) is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. Ongoing monitoring is a critical part of that risk management process whereby an organization’s overall security architecture and accompanying security program are monitored to ensure that organization-wide operations remain within an acceptable level of risk, despite any changes that occur. Timely, relevant, and accurate information is vital, particularly when resources are limited and agencies must prioritize their efforts.
Near real-time risk management and the ability to design, develop, and implement effective continuous monitoring programs, depends first and foremost, on the organization’s ability to develop a strong information technology infrastructure—in essence, building stronger, more resilient information systems using system components with sufficient security capability to protect core missions and business functions.
Any effort or process intended to support ongoing monitoring of information security across an organization begins with leadership defining a comprehensive ISCM strategy encompassing technology, processes, procedures, operating environments, and people. This strategy:
• Is grounded in a clear understanding of organizational risk tolerance and helps officials set priorities and manage risk consistently throughout the organization;
• Includes metrics that provide meaningful indications of security status at all organizational tiers;
• Ensures continued effectiveness of all security controls;
• Verifies compliance with information security requirements derived from organizational missions/business functions, federal legislation, directives, regulations, policies, and standards/guidelines;
• Is informed by all organizational IT assets and helps to maintain visibility into the security of the assets;
• Ensures knowledge and control of changes to organizational systems and environments of operation; and
• Maintains awareness of threats and vulnerabilities.