There are distinct benefits to implementing an Automated Continuous Monitoring solution (see “Continuous Monitoring surpasses Compliance Management in Effectiveness”) over the traditional approach to compliance management. But what does an Automated Continuous Monitoring solution look like?
Today, organizations manage their information security compliance and risk in static, disparate silos:
Every industry has Compliance Mandates such as NIST, FISMA, PCI, DIACAP, SOX, SOC2, HIPAA, and NERC CIP which drive their Corporate Information Security Policies. These policies are captured in binders that largely remain static.
During the course of their risk assessment process, they conduct a Business Impact Analysis to determine the risk associated with each information system.
This information is not usually correlated to the Compliance Mandates and Corporate Information Security Policies.
Security Information and Event Management (SIEM) systems and loggers monitor information systems using definitions of known threats to identify vulnerable systems. These tools can be augmented by input from the National Vulnerability Database which tracks all known threats.
There is typically not an automated way in which to analyze the data from these tools in the context of the Corporate Information Security policies which creates the opportunity for non-compliance.
Adding to the complexity is the need to make updates to software and hardware firmware. These updates are cataloged in Configuration Management tools that are very rarely connected to the SIEM Tools and Vulnerabilities and Threat Database thereby leaving another place for non-compliance to creep in.
Traditional “continuous monitoring” depends upon processes and human effort to keep pace with the rapid changes in Compliance Mandates, Corporate Information Security Policies, Threats and Vulnerabilities and Information System updates in order to maintain compliance.
All hope is not lost. Automated Continuous Monitoring provides a solution: An integrated, automated web of process, information and control.
No matter where you start, an effective automated continuous monitoring solution that enables an enterprise to have a 360⁰ view of their risk should have the following capabilities:
$ · Ingest information from sensors and security incident event monitoring (SIEM) tools to analyze security vulnerabilities and provide a risk score based on customer defined scoring metrics.
· Map known vulnerabilities against compliance guidelines such as NERC CIP, HIPAA, PHI, PCI, FISMA, NIST, GLB, DIACAP, SOC and SOX.
$ · Automate updates to compliance guidelines and documents.
$ · Monitor configuration management changes to identify the introduction of new security vulnerabilities.
$ · Automatically document system changes and include in system security reports.
$ · Natively discover network assets and the associated security vulnerabilities with the use of WMI and SNMP scans.
$ · Validate that systems are compliant with latest operating environment versions and anti-virus dates.
$ · Manage the generation of reports associated with security guideline compliance into appropriate formats for NERC CIP, HIPAA, PHI, PCI, FISMA, NIST, GLB, DIACAP, SOC, and SOX.
$ · Capable of ingesting SCAP related data (ASR, ARF and other XML), process that information, and provide a Risk Score.
$ · Collaboration tool for the facilitation of the Certification & Accreditation and Assessment & Authorization process.
· · Receive Common Vulnerabilities and Exposures (CVE) input from the National Vulnerability Database (NVD).
Having a 360 degree view completes the picture for security enterprise risk management. No matter where you look, you have deep insights and actionable intelligence. Worries of dated information are eliminated and you are presented with actionable data.
That’s a rosy picture, I’d say.
By integrating all this information, the solution can provide a real-time comprehensive risk profile for the organization so that you can determine the following:
· The risk associated with a change to an information security guideline or corporate security policy.
· The risk associated with an update to an operating system or anti-virus definition that has not yet been applied to your system.
· The risk associated with a system configuration change.
· The risk associated with a boundary protection device or application that is out of service.
· The risk associated with a new threat appearing in the NVD.
Governance, risk, and compliance management is poised to move to the next phase of its evolution with Automated Continuous Monitoring. Products are being introduced into the market. Now is the time to think about the benefits that your enterprise can garner by implementing a solution.
- Gerry Baron, MBA
VP Business Development at Diligent eSecurity International