The National Institute of Standards and Technology is producing two publications that provide agencies guidance on continuous monitoring.
The first, Special Publication 800-137, defines continuous monitoring in a much broader context and advises that agencies need to continuously monitor at three levels: the organization level, mission/business process level and information system level, says Ron Ross, project leader of the Federal Information Security Management Agency Implementation Project at NIST.
Currently, many agencies are focused on the information system level, such as scanning servers or the network for security vulnerabilities. But monitoring at the other two levels is equally important because good management, good planning and a good enterprise and information security architecture can significantly reduce security risks, Ross says.
“You have to start at the top and manage risk strategically,” he says.
For example, the top layer – the organization level – is about governance and having senior leaders develop an effective risk management strategy, including how to assess, respond to and monitor risks, Ross says.
The second layer — the mission/business process level — is about defining core missions and business processes and developing an enterprise and information security architecture.
“A lot of what we do in the second tier can influence information systems in the third tier,” he says. “To correct some of the systemic vulnerabilities long-term, it’s better to do advance planning and develop the core concepts of continuous monitoring when you are defining your core missions or establishing the business processes that support those missions and developing the enterprise architecture.”