From: BankInfoSecurity.com
A Replacement for Checklist Compliance?
By Eric Chabrow
Continuous monitoring – continuous diagnostics in the new lingo of the federal government – is getting a lot more attention these days, as it should.
The idea is that the automated scrutiny of computer networks and systems to identify vulnerabilities not only will make them safer, but it could prove to be a money saver as well.
Still, most organizations in the United States and Britain have yet to implement continuous monitoring, according to a new Ponemon Institute survey conducted for the risk management software provider Tripwire.
When asked to rate how well their organizations employ continuous monitoring to assess and prioritize risks, 46 percent of the 749 American and 571 British IT and risk management professionals surveyed say their organizations have partially or fully implemented continuous monitoring (see chart below). Yet, that’s a 7 point improvement over 2012 results. “There’s still a lot of room for improvement in the maturity of risked-based security programs and continuous monitoring of controls,” the report says.
$6 Billion Plan
The U.S. federal government is betting $6 billion that continuous monitoring will make government IT more secure [see $6 Billion DHS IT Security Plan Advances]. A Department of Homeland Security initiative is aimed at helping federal, state and local government agencies purchase discounted wares to safeguard against IT vulnerabilities.
“We assume we’re going to save money; we’re also assuming that we’re going to improve security by standardizing what we’re deploying and measuring,” says Chris Ipsen, Nevada chief security information officer, who’s considering participating in the federal program.
Cost savings is especially important at the federal level, where congressionally imposed sequestration – automatic, across-the-board budget cuts – has caused agencies to scale back spending in all areas.
White House Cybersecurity Coordinator Michael Daniel sees continuous diagnostics as a way to reduce required compliance costs under the Federal Information Security Management Act. Continuous diagnostics, he says, provides a “closer to real-time understanding” of what’s happening in government networks.
Leave a Reply