Continuous monitoring is
|“||[m]aintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. Continuous monitoring, a critical aspect of the organization-wide risk management process, is most effective when automated mechanisms are employed where possible.||”|
|“||[t]he process implemented to maintain a current security status for one or more information systems or for the entire suite of information systems on which the operational mission of the enterprise depends. The process includes: (1) the development of a strategy to regularly evaluate selected IA controls/metrics; (2) Recording and evaluating IA relevant events and the effectiveness of the enterprise in dealing with those events; (3) recording changes to IA controls, or changes that affect IA risks; and (4) publishing the current security status to enable information-sharing decisions involving the enterprise.||”|
A critical aspect of managing risk to information from the operation and use of information systems involves the continuous monitoring of the security controls employed within or inherited by the system. Conducting a thorough point-in-time assessment of the deployed security controls is a necessary but not sufficient condition to demonstrate security due diligence.
An effective organizational information security program also includes a rigorous continuous monitoring program integrated into the System Development Life Cycle (SDLC). The objective of the continuous monitoring program is to determine if the set of deployed security controls continue to be effective over time in light of the inevitable changes that occur.
Continuous monitoring is a proven technique to address the security impacts on an information system resulting from changes to the hardware, software, firmware, or operational environment. A well-designed and well-managed continuous monitoring program can effectively transform an otherwise static security control assessment and risk determination process into a dynamic process that provides essential, near real-time security status-related information to organizational officials in order to take appropriate risk mitigation actions and make cost-effective, risk-based decisions regarding the operation of the information system. Continuous monitoring programs provide organizations with an effective mechanism to update security plans, security assessment reports, and plans of action and milestones (POA&Ms).
An effective continuous monitoring program includes:
- Configuration management and control processes for information systems;
- Security impact analyses on proposed or actual changes to information systems and environments of operation;
- Assessment of selected security controls (including system-specific, hybrid, and common controls) based on the defined continuous monitoring strategy;
- Security status reporting to appropriate officials; and
- Active involvement by authorizing officials in the ongoing management of information system-related security risks.
Continuous monitoring allows an organization to: (i) track the security state of an information system on a continuous basis; and (ii) maintain the security authorization for the system over time in highly dynamic environments of operation with changing threats, vulnerabilities, technologies, and missions/business processes.
U.S. government agencies
OMB policy and NIST guidelines require agencies to implement a continuous monitoring approach for all information systems, including those using wireless technologies. According to NIST guidelines, agencies are required to monitor for unauthorized wireless access to information systems and should base their determination of the scope and frequency of such monitoring on an assessment of risk to the agency, the operational environment, the agency’s requirements, and specific threat information.
Continuous monitoring allows an organization to defend its security posture in a dynamic environment where threats, vulnerabilities, and technologies are constantly changing. Experts also noted the importance of continuously monitoring the wireless network for rogue access points and client devices. Documenting and implementing an approach to wireless monitoring that uses a risk-based approach helps to ensure that the scope and frequency of monitoring is appropriate for the threats facing the agency. Centralized management tools can provide continuous monitoring capabilities for improved visibility and oversight of the organization’s entire wireless network.
Both experts and NIST guidelines highlighted the importance of using a wireless intrusion detection system to continuously monitor an agency’s wireless networks to detect and respond to malicious activities on the network before they inflict damage. These types of systems enable an organization’s operations or security staff to determine whether unauthorized users or devices are attempting to access, have already accessed, or have compromised a WLAN. A wireless intrusion prevention system builds on the functionality of a wireless intrusion detection system by also automatically taking countermeasures against these unauthorized users or devices. These systems are able to monitor wireless data as it passes from wireless to wired networks. They can also detect misconfigured WLAN clients, rogue access points, ad hoc networks, and other possible violations of an organization’s WLAN policy. In addition, these systems can position an organization to proactively assess its wireless network at regular intervals. However, a wireless intrusion detection or prevention system is a significant expense, and it may not be appropriate in all cases. For example, an agency may determine that a smaller agency location with lower risk systems may not warrant the expense that installing a wireless intrusion detection or prevention system may entail.
Other tools exist to detect rogue wireless client devices, such as handheld scanners and network authentication mechanisms, but these may not be as effective or easy to monitor as an intrusion detection system. Consistent with NIST guidelines, an organization should use a risk-based business case to determine the appropriate use of continuous monitoring solutions.