NIST SP 800-137

Editor’s Note:  The  Federal Reserve Board of Governors “Supplemental Policy Statement on the Internal Audit Function and Its Outsourcing” dated January 23, 2013 is attached here.  Below is an excerpt from the Statement.

Internal Audit Continuous Monitoring

Internal audit is encouraged to utilize formal continuous monitoring practices as part of the function’s risk-assessment processes to support adjustments to the audit plan or universe as they occur. Continuous monitoring can be conducted by an assigned group or individual internal auditors. An effective continuous monitoring process should include written standards to ensure consistent application of processes throughout the organization.

From: BankInfoSecurity.com

DHS’s John Streufert Discusses Continuous Monitoring Evolution

As enterprises move more applications to the cloud, continuous monitoring will play a greater role in assuring the software is patched in a timely manner, says John Streufert, DHS director of federal network resilience.

“As we move toward more virtual environments, we will try to automate the patching, and have it go on seamlessly in the background,” Streufert says in an interview with Information Security Media Group. “We are seeing a trend … where those who run cloud-based environments are taking advantage of automated patching and provisioning of their various servers, desktops or session instances. Everything seems to be heading toward trying to get into the position to improve the mean time between patching, reducing that to the lowest possible amount.”

From: GovInfoSecurity.com

Mark Weatherford on DHS’s Growing Sway over Infosec Policy

The top Department of Homeland Security policymaker focused exclusively on cybersecurity, Mark Weatherford, defends DHS’s ability to take a leading role in safeguarding civilian agencies and key national IT systems. His viewpoint challenges questions raised about the department’s capabilities by critics such as Sen. John McCain.

Editor’s Note:  Continuous monitoring is about more than a security paradigm, it’s reflective of broad, structural changes in the economy.

From: Associated Press

Practically human: Can smart machines do your job?

By PAUL WISEMAN, BERNARD CONDON and JONATHAN FAHEY

Art Liscano knows he’s an endangered species in the job market: He’s a meter reader in Fresno, Calif. For 26 years, he’s driven from house to house, checking how much electricity Pacific Gas & Electric customers have used.

From: Mandiant

By John Bradshaw

I recently read a Gartner report, Dealing With Federal Continuous Monitoring Security Requirements, that addresses concerns with the August 2009 Revision 3 update to NIST 800-53. One of the recommendations that caught my attention is to ensure that a proper review of vulnerability assessment and SIEM capabilities is done early. I couldn’t agree more.

Too many times I’ve seen SIEM solutions deluged with event log data that plays no part in correlation activities performed by the SIEM engine. Considering how much SIEM solutions cost, this is a considerable waste of security budget. Organizations need to separate log management from SIEM correlation activities and determine how each component fits best into an overall continuous monitoring program. I believe all three items are separate entities that are closely related.

From: GovInfoSecurity.com

Cultural Shift is a Necessity for Organizations

It will be a few years until many organizations reach a level of maturity with continuous monitoring. Getting there will take organizationwide acceptance, says George Schu of Booz Allen Hamilton.

“They need to adapt to a new way of doing things,” Schu says in an interview with Information Security Media Group [transcript below]. “Implicit in the success of doing this well is a kind of cultural acceptance of the new process, perhaps some organizational change and training.”

From: Cound Tech

With all the talk of fiscal cliffs, financial binds and “next year’s budget,” I started thinking about cloud security in more tangible ways. Specifically returns on investment, economic impact and total costs of ownership.

Just like death and taxes, businesses can add intrusion and attack to the list of sureties. I can hear CFOs all over the world sigh in exasperation as they feel pressured to add another expense line item to minimise the building security threats to their enterprises.

From: Government Technology

By Hilton Collins

According to CNN, security analysts predict that nation-sponsored cyber attacks will become more dangerous this year — some even say the increasinly sophisticated attacks could lead to the loss of human life. If this is in fact true, American governments would be not be immune.

A. N. Ananth, CEO of security firm EventTracker, said he feels that it’s important for the public sector to monitor their networks diligently, but they have to think smart for their efforts to be useful.

From: GCN

By William Jackson

When agencies move IT workloads to the cloud, they often gain flexibility and efficiency, but do the owners of the data know where their data is? They should.

The “cloud,” of course, isn’t any kind of cloud, but servers at many large data centers scattered around the country or the world, as we are reminded whenever a cloud provider loses service. And agencies must ensure that these resources are being maintained in an appropriate and secure environment.

From: Tenable

Please join Tenable’s Ron Gula (L) and Jack Daniel (R) on January 23 at 2PM EST, for a new webcast to learn about how data from continuous monitoring is enabling “Outcome Based” security.

Even with ample investments in security programs, many organizations discover vulnerabilities at too slow of a rate to efficiently manage or react to them or are not able to communicate what needs to be fixed effectively.

Continuous Monitoring is gaining momentum for its ability to bring real-time vulnerability analysis to large organizations including Federal, Commercial, and Academic institutions.