Definition
Information security continuous monitoring (ISCM) is
“ | maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.[1] | ” |
Overview
Any effort or process intended to support ongoing monitoring of information security across an organization begins with leadership defining a comprehensive ISCM strategy encompassing technology, processes, procedures, operating environments, and people. This strategy:
- Is grounded in a clear understanding of organizational risk tolerance and helps officials set priorities and manage risk consistently throughout the organization;
- Includes metrics that provide meaningful indications of security status at all organizational tiers;
- Ensures continued effectiveness of all security controls;
- Verifies compliance with information security requirements derived from organizational missions/business functions, federal legislation, directives, regulations, policies, and standards/guidelines;
- Is informed by all organizational IT assets and helps to maintain visibility into the security of the assets;
- Ensures knowledge and control of changes to organizational systems and environments of operation; and
- Maintains awareness of threats and vulnerabilities.
An ISCM program is established to collect information in accordance with preestablished metrics, utilizing information readily available in part through implemented security controls. Organizational officials collect and analyze the data regularly and as often as needed to manage risk as appropriate for each organizational tier. This process involves the entire organization, from senior leaders providing governance and strategic vision to individuals developing, implementing, and operating individual systems in support of the organization's core missions and business processes. Subsequently, determinations are made from an organizational perspective on whether to conduct mitigation activities or to reject, transfer, or accept risk.
NIST Special Publications 800-37; 800-39; 800-53; 800-53A; and 800-137 provide guidance on ISCM.
References
- ↑ NIST Special Publication 800-137, at vi.
Source
- NIST Special Publication 800-137, at vi-vii.