From: EMC2
Posted by chrishoo in RSA Archer GRC
Gartner just released their IT Risk Management Magic Quadrant results. RSA is at the front, as usual, but when I saw the results I was immediately struck by a question: How closely do Gartner’s and the federal community’s visions of IT Risk Management align? There has been discussion around redefining these categories and some have been broken out into new MQs. So, for my federal security professional colleagues, I just wanted to run through Gartner’s definition of ITRM and compare them to current federal thinking and initiatives.
***
This fits in very well with current federal emphasis on continuous monitoring (both manual and automated). The federal community is now fairly mature at the FISMA/OMB compliance paradigm and C&A/A&A. Logically, continuous monitoring is one of the areas where automation can help enhance the process. This emphasis can be seen in many new releases in the last year. OMB Memos 14-3 and 15-1 have touched on this topic in the last 18 months. FedRAMP updated its continuous monitoring guidance last summer. The NIST 800-53A Rev4 that just came out is MUCH more granular than previous revisions. This provides more granular reporting, but good luck trying to implement it without some automation.
Leave a Reply