Information Security Continuous Monitoring within a Risk Management Framework
1 like1,599 views
This document discusses the need for information security continuous monitoring (ISCM) within federal agencies. It outlines a risk management framework and seven-step ISCM strategy to continuously assess risks, security controls, and the overall security posture. The strategy involves defining goals, establishing metrics and assessment frequencies, implementing a monitoring program, analyzing data, responding to findings, and reviewing the program. It recommends anchoring the approach to a risk framework, prioritizing projects according to risk, maintaining situational awareness, and ensuring leadership support and system owner responsibility for effective continuous monitoring.
Information Security Continuous Monitoring within a Risk Management Framework
- 1. 1 Mission Critical Global Technology Group (MCGlobalTech) Information Security Continuous Monitoring Within A Risk Management Framework
- 2. 2 Why Federal Information Security is Evolving Foreign Intelligence organizations trying to hack into our military’s 100 digital networks 10 Million Cyber attacks daily at Department of Energy 400%+ Increase of cyber attacks since 2006 80% Attacks leveraging known vulnerabilities & configuration setting weaknesses
- 3. 3 Why Federal Information Security is Evolving Security Incidents are increasing. IT Environments are in constant change. Risks need to be continuously assessed.
- 4. 4 Organization Wide Risk Monitoring
- 5. 5 Risk Management Framework (ISCM View)
- 6. 6 Information Security Continuous Monitoring Strategy
- 7. 7 Information Security Continuous Monitoring Steps Step 1 - Define Strategy: Effective ISCM begins with the development of a addressed the ISCM requirements and activities at each organizational tier; (Tier 1, Tier 2, Tier 3) • Tier 1 – The risk mitigation strategy; executives must determine the overall organizational risk tolerance and risk • Tier 2 – Information generated from Tier 1 (Governance, Policy, Risk Tolerance, Strategy, etc.) is communicated to staff / business units owner, and process owner, to enable the reflect and implementation of the ISCM strategy in there is system and processes; • Tier 3 – The ISCM is implemented to support risk management and risk tolerance at all three tier.
- 8. 8 Information Security Continuous Monitoring Steps Step 2 – Establish Measures and Metrics: • Goals, detect security anomalies, changes in IT operations, Information Systems, vulnerabilities awareness, control effectiveness, security status; control ongoing risk to the organization; Step 3 – Establish Monitoring and Assessment Frequencies: • Organization determine the frequencies each security control is assessed. The data generated with different latencies is used to create a holistic view of the security disposition Step 4 – Implementing the ISCM Program • Data is collected for predefined metrics, security control assessments are conducted, and this information is reported and used in accordance with organizational policies and procedures;
- 9. 9 Information Security Continuous Monitoring Steps Step 5 – Analyze Data and Report Findings: • Organization must develop procedures for analyzing and reporting assessment and monitoring results. This will includes the content and format of reports, frequency of reports, tools that are used, and most importantly requirements for analyzing and reporting the results of controls; • Organizational officials should review the analyzed reports to determine whether to conducts mitigations activities or to transfer, avoid / reject or accept the risk; Step 6 – Respond to Findings: • Repose to findings at all tiers may include risk mitigation, risk acceptance, risk avoidance, or risk sharing in accordance with organizational tolerance.
- 10. 10 Information Security Continuous Monitoring Steps Step 7 – Review and Update Program: • Security controls assessments, security status metrics, and monitoring frequencies change according to the needs of the organization; • The ISCM strategy should be reviewed to ensure it is sufficiently supports the organization and is operating within acceptable risk tolerance levels; that metrics remain relevant, and data is current and complete.
- 11. 11 ISCM Recommendations for The Leadership Team Recommendations on ISCM for Leadership: • Anchor to a specific risk framework or approach (i.e., NIST 800-137) • Develop risk ranking / scoring methods; • Prioritizes security projects, actions, and investments according to risk rank; • Maintain situational awareness of all information systems and functions across the organization; • Support a clear view and understanding of threat activities; • Continuously re-evaluate security controls, frequencies, and security program; • Collect and analyze meaningful information security related data; • Communication Security status across all tiers of the organization; • Organization executives must have an active role in risk management;
- 12. 12 Executive Summary • The combination of preventive and detective monitoring controls is important in building an effective continuous monitoring program; • The successful implementation of a continuous monitoring program will require common commitment through leadership support, authorizing official enforcement, and system owner responsibility; • A well designed and implemented continuous monitoring program can improve the quality of agency information security programs by providing management with current, meaningful information on the security posture of their IT assets;
- 13. 13 Contact Information Mission Critical Global Technology Group 1776 I Street, NW 9th Floor Washington, District of Columbia 20006 Phone: 571-249-3932 Email: Info@mcglobaltech.com William McBorrough Morris Cody Managing Principal Managing Principal wjm4@mcglobaltech.com mcody@mcglobaltech.com