A senior NIST official explained that enterprise systems need to take security requirements into account during the when designing the system at a conference hosted by Government Executive magazine. The official emphasized two key points: 1) the importance of good governance, i.e., leadership and management in developing and implementing risk management and mitigation strategies is essential for security; and 2) that security needs to be included in the system’s enterprise architecture.
Specific continuous monitoring issues that were raised at the meeting included how many controls are appropriate and how frequently the controls should be monitored. The issue of control controls was also a prominent discussion topic. A federal official suggested that lean budgets could be beneficial for security since they force better decision-making.
The NIST official stressed that continuous monitoring is “a great, great tactic, but not a strategy.” The importance of continuous monitoring as part of enterprise security was highlighted by the official’s discussion of the use of continuous monitoring to evaluate the effectiveness of security controls and to determine the impacts of changes in an organization’s security posture. The official further emphasized the importance of “getting our act together and building” continuous monitoring right.
Leave a Reply