How Continuous Monitoring Is a Driver of Effective Risk Management
Rising risks, the regulatory ecosystem and compliance costs in the current business environment make this the ideal time to consider what role Continuous Monitoring plays in your enterprise. If you don’t have a Continuous Monitoring program in place, you should consider what it would take to implement and what it would look like to start.
What is Continuous Monitoring?
NIST defines Continuous Monitoring (CM) as the ability to maintain ongoing awareness of information security, vulnerabilities, and threats to facilitate risk-based decision making.
If we analyze this definition, we will realize that CM can be broken down into three functional areas:
- CM involves ongoing assessment and analysis of the effectiveness of all security controls.
- CM provides ongoing reporting on the security posture of information systems.
- CM supports risk management decisions to help maintain organizational risk tolerance at acceptable levels.
The ultimate objective of CM is to determine if the security and privacy controls implemented by an organization continue to be effective over time considering the inevitable changes that occur in the environment in which the organization operates. Continuous monitoring provides an effective mechanism to update security and privacy plans, assessment reports, and plans of action and milestones.
An effective continuous monitoring process includes:
- Configuration management and control processes for organizational systems.
- A risk assessment for actual or proposed changes to systems and environments of operation.
- An assessment of selected controls based on a continuous monitoring strategy.
- A security and privacy posture that reports to appropriate organizational officials.
- Active involvement by authorizing officials in the ongoing management of security and privacy risks.
Why is Continuous Monitoring important?
Continuous monitoring is used as the assessment mechanism that supports configuration management and periodically validates those systems within the information environment are configured as expected. Planning and implementing security configurations and then managing and controlling change does not guarantee that systems remain configured as expected.
In addition, annual assessments, or audits of the effectiveness of established security and privacy controls are not adequate to address the shifting business environment because:
- They capture only a single point in time. This means that in between assessments potentially major security incidents or changes to cybersecurity posture may have happened without our knowledge.
- The quality of these assessments may be reduced should they depend on individuals.
- They can become costly and time-consuming.
These limitations can have a critical impact on businesses and their security and privacy programs. Lags in assessments may hamper critical operations and leave the organization vulnerable to evolving threats that go undetected.
Real-time (or near real-time) risk management cannot be fully achieved without continuous control monitoring using automated tools. Using automated tools, organizations can identify when the system is not in the desired state to meet security and privacy requirements and respond appropriately to maintain the security and privacy posture of the system. Continuous monitoring identifies undiscovered system components, misconfigurations, vulnerabilities, and unauthorized changes, all of which can potentially expose organizations to increased risk if not addressed.
Providing orderly and disciplined updates to the system security and privacy plans on an ongoing basis supports the principle of (near) real-time risk management and facilitates more cost-effective and meaningful reauthorization actions. Ultimately, with the use of automated tools and associated supporting databases, authorizing officials and other senior leaders within the organization should be able to obtain important information to maintain situational awareness regarding the security state of the systems supporting the organization’s mission and business processes.
Considerations to implementing a CM approach
Despite the potential benefits of CM, barriers to adoption do exist in many organizations. These barriers are related to misunderstanding what CM is and how it is implemented. A lack of risk visibility can also become a barrier and may lead to a “nice to have” attitude.
To overcome these barriers, when developing our approach to CM, we needed to answer some fundamental questions:
- Can we satisfy our compliance mandates while still moving forward with a security-centric Continuous Monitoring plan?
- How can we control the scope of work needed to continuously assess the full catalog of security controls?
- How can we drive higher levels of involvement with our executive stakeholders to make risk-based decisions?
- How can we afford to do all of this on our existing budget?
Benefits of Continuous Monitoring
Broadly speaking, CM adds value by means of improved compliance, risk management, and ability to achieve business goals.
Digging into the benefits of CM, we realize the continuous monitoring can enable an enterprise to:
- Increase value through improved security and privacy controls.
- Accelerate reporting to support more rapid decision making and business improvement.
- Detect exceptions in real time to enable real-time responses.
- Reduce — and ultimately minimize — ongoing compliance costs.
- Replace manual preventative controls with automated detective controls.
- Establish a more automated, risk-based control environment with lower costs.
- Heighten competitive advantage and increase value to stakeholders.
However, it should be noted that CM should be viewed as a short-term project, but rather as a commitment to a new, more systematic approach. The value and benefits are real, provided CM is viewed in the context of risk management and implemented with a practical roadmap as your guide.
How the CAP Certification Can Help You to Succeed
Organizations should establish and enforce a continuous monitoring strategy that would determine what controls are to be monitored, when the controls are monitored (e.g., ongoing, or according to a predefined frequency), how changes to existing systems are monitored, how risk assessments are to be conducted, and the security and privacy posture reporting requirements.
This is where a Certified Authorization Professional (CAP) comes in handy. Based on the foundational knowledge acquired through the (ISC)² CBK for the certification, a CAP professional can develop a CM strategy that is aligned and part of an overall organizational continuous monitoring program that addresses requirements across the organization for monitoring mission and business process levels and system performance, effectiveness, and efficacy levels. The CAP professional ensures that the CM strategy is approved and supported by all risk management stakeholders and includes the strategy in the security and privacy plan.
The CAP professional helps ensure that security considerations for individual systems are viewed from an organization-wide perspective regarding the overall strategic goals and objectives of the organization in carrying out its mission and business processes. During the continuous monitoring process, the CAP professional maintains the organization’s overall risk posture based on the aggregated risk from each of the systems deployed across the enterprise. The aggregated risk information is then used to adapt the CM strategy in accordance with the evolving risk and threat landscape.
The CAP certification shows employers you have the advanced technical skills and knowledge to understand Governance, Risk and Compliance (GRC) and can authorize and maintain information systems utilizing various risk management frameworks, as well as best practices, policies and procedures established by the cybersecurity experts at (ISC)².
To learn more about Continuous Monitoring how the (ISC)² CAP certification can help you, download our guide, Mitigating Evolving Risk with the Right Security Framework.