Saturday, October 29, 2011

NIST: Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organization



http://ow.ly/7cKYl

This is a publication issued by the National Institute of Standards and Technology (NIST), and lists the following authors: Kelley Dempsey; Nirali Shah Chawla; Arnold Johnson; Ronald Johnston; Alicia Clay Jones; Angela Orebaugh; Matthew Scholl; and Kevin Stine.

This publication provides standards regarding security of IT systems for Federal agencies.

The NIST document states, "

The Risk Management Framework (RMF) developed by NIST, describes a disciplined and
structured process that integrates information security and risk management activities into the
system development life cycle. Ongoing monitoring is a critical part of that risk management
process. In addition, an organization’s overall security architecture and accompanying security
program are monitored to ensure that organization-wide operations remain within an acceptable
level of risk, despite any changes that occur."

The points set fort that an ISCM management strategy should entail are said to be:
  • Is grounded in a clear understanding of organizational risk tolerance and helps officials set priorities and manage risk consistently throughout the organization; 
  • Includes metrics that provide meaningful indications of security status at all organizational tiers;
  • Ensures continued effectiveness of all security controls;
  • Verifies compliance with information security requirements derived from organizational missions/business functions, federal legislation, directives, regulations, policies, and standards/guidelines;
  • Is informed by all organizational IT assets and helps to maintain visibility into the security of the assets;
  • Ensures knowledge and control of changes to organizational systems and environments of operation; and
  • Maintains awareness of threats and vulnerabilities.
The document further states: "Organizations take the following steps to establish, implement, and maintain ISCM:

• Define an ISCM strategy;
• Establish an ISCM program;
• Implement an ISCM program;
• Analyze data and Report findings;
• Respond to findings; and
• Review and Update the ISCM strategy and program.

0 comments:

Post a Comment