Continuous Monitoring – The Next Evolution of C&A?

The information technology (IT) security industry is “abuzz” with the introduction of the Risk Management Framework (RMF) and the Continuous Monitoring process. Many believe that because they have “implemented” Continuous Monitoring that they are compliant with the Federal Information Security Management Act (FISMA) and better positioned from a security perspective than others who are still following the conventional security authorization (certification and accreditation [C&A]) tri-annual assessment process. Proponents of this new position point to various comments by government officials, agency CIOs, and Federal CIOs that security should be more focused on technology. Continuing calls for additional investments in intrusion detection, log consolidation and monitoring tools, and patch and vulnerability management tools reverberate from organizational IT departments. The logic is that through the use of these tools, “continuous monitoring” can be achieved and the paper work-intensive security authorization process can be eliminated to “save money through the use of technology.” Ah, but the pendulum swings again. During the emergence of the information security domain, technology ruled. Firewalls, content inspection engines, intrusion detection systems (IDSs), vulnerability and patch management tools, VPN gateways, and security appliances ruled the domain. They propagated and flourished and there was peace and tranquility throughout the land.

Well, almost.

We quickly found out that while technology was an enabler of information security, policies and procedures were required to allocate the proper resources and responses to the multitude of incidents that these tools detected and prevented. For example, we learned that an enterprise log management and consolidation tool that was not regularly monitored and reviewed for indications of suspicious activity amounted to only a huge data file that sat on a server waiting for attention. Information security is more than technology; it is also people and procedures. Trained and experienced personnel can interpret the “signals” that these tools are sending and proactively adapt defense mechanisms to address new threats. The original National Information Assurance Certification and Accreditation Process (NIACAP), Defense Information Technology Security Certification and Accreditation Process (DITSCAP), and National Institute of Standards and Technology (NIST) C&A processes implemented a “balanced” approach measuring both technology as well as policies and procedures using control points.

Continuous Monitoring is a maturity level; it is not a set of technology tools conducting scans and reporting results. To establish this maturity level, security must be integrated into the culture of the organization. Mature and consistent policies enforced by technology, security personnel, and enterprise IT resource users are the cornerstone of this maturity level. Can someone please tell me how a scanner can “monitor” whether a user is susceptible to social engineering attacks (phishing) because the non-existent or severely downsized security staff has not implemented continuous security training and advisory alerts to prevent the same? Furthermore, which “tool” monitors whether contingency plan tests are successful and backup tapes are routinely “restored” to check for viability?

Just a thought. Nelson Ros