“Information security is a dynamic process that must be effectively and proactively managed for an organization to identify and respond to new vulnerabilities, evolving threats, and an organization’s constantly changing enterprise architecture and operational environment”, observed the new NIST report 'Information Security Continuous Monitoring for Federal Information Systems and Organizations' (SP 800-137).
The report stressed that ongoing information security monitoring is a “critical part” of NIST’s risk management framework. An organization’s security architecture and accompanying security program should be monitored to ensure that operations remain with an acceptable level of risk, it explained.
NIST called on an organization’s management to develop a comprehensive information security continuous monitoring (ISCM) strategy that encompasses technology, processes, procedures, operating environments, and personnel.
According to NIST, this ISCM strategy should be grounded in a clear understanding of organizational risk tolerance and help officials set priorities and manage risk consistently throughout the organization.
In addition, the strategy should include metrics that provide indications of security status at all organizational tiers; ensure effectiveness of all security controls; verify compliance with requirements derived from organizational missions/business functions, federal legislation, directives, regulations, policies, and standards/guidelines; be informed by all organizational IT assets and help to maintain visibility into asset security; ensure knowledge and control of changes to organizational systems and operational environments; and maintain awareness of threats and vulnerabilities.
“A robust ISCM program thus enables organizations to move from compliance-driven risk management to data-driven risk management providing organizations with information necessary to support risk response decisions, security status information, and ongoing insight into security control effectiveness”, the report stressed.