Information security continuous monitoring (ISCM) is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.
The finalized document recognizes the essential role of automated systems in ensuring the monitoring of federal information systems. NIST explains that:
Tools supporting automated monitoring of some aspects of information systems have become an effective means for both data capture and data analysis. Ease of use, accessibility, and broad applicability across products and across vendors help to ensure that monitoring tools can be readily deployed in support of near real-time, risk-based decision making.
The document emphasizes that organizations need metrics for the data that is monitored. Metrics and monitoring work together to improve an organization’s security awareness. As NIST explains:
Through the use of automation, it is possible to monitor a greater number of security metrics with fewer resources, higher frequencies, larger sample sizes, and with greater consistency and reliability than is feasible using manual processes. Organizations regularly review the ISCM strategy to ensure that metrics continue to be relevant, meaningful, actionable, and supportive of risk management decisions made by organizational officials at all tiers.
SP 800-137 is attached below. CRE’s comments on the draft document may be found here.
Leave a Reply