Continuous monitoring was the focal point of a discussion by a a senior NIST official at a conference hosted by Government Executive magazine. The official emphasized two key points: 1) the importance of good governance, i.e., leadership and management in developing and implementing risk management and mitigation strategies is essential for security; and 2) that security needs to be included in the system’s enterprise architecture.
Specific continuous monitoring issues that were raised at the meeting included how many controls are appropriate and how frequently the controls should be monitored. The issue of control controls was also a prominent discussion topic. The NIST official suggested that lean budgets could be beneficial for security since they force better decision-making.
NIST stressed that continuous monitoring is “a great, great tactic, but not a strategy.” The importance of continuous monitoring as part of enterprise security was highlighted by the official’s discussion of the use of continuous monitoring to evaluate the effectiveness of security controls and to determine the impacts of changes in an organization’s security posture. The official further emphasized the importance of “getting our act together and building” continuous monitoring right.
With respect to the issue of compliance, one the private sector panel members noted that if compliance is not relevant, you’re doing it wrong.
Leave a Reply