3.5 CONTINUOUS MONITORING OF SECURITY CONTROLS
Conducting a thorough point-in-time assessment of the security controls in an organizational information system is a necessary, but not sufficient condition to demonstrate security due diligence. Effective information security programs should also include an aggressive continuous monitoring program to check the status of the security controls in the information systems on an ongoing basis. The ultimate objective of the continuous monitoring program is to determine if the security controls in the information system continue to be effective over time in light of the inevitable changes that occur in the system as well as the environment in which the system operates. Continuous monitoring, the fourth phase in the security certification and accreditation process, is a proven technique to address the security impacts on information systems resulting from changes to hardware, software, firmware, or operational environment. A well-designed and well-managed continuous monitoring program can effectively transform an otherwise static security control assessment and risk determination process into a dynamic process that provides essential, near real-time security status-related information to appropriate organizational officials in order to take appropriate risk mitigation actions and make credible, risk-based authorization decisions regarding the operation of the information system. Continuous monitoring programs provide organizations with an effective tool for producing ongoing updates to information system security plans, security assessment reports, and POAMs. An effective continuous monitoring program requires:
- Configuration management and control processes for the information system;
- Security impact analysis of changes to the information system;
- Assessment of selected security controls in the information system; and
- Security status reporting to appropriate agency officials
If only there was a company that provided continuous monitoring of security controls, one that was able to continuously discover, assess, remediate and enforce the health and security of computing devices in real-time and at enterprise scale (here), oh wait I am the CTO for such a company.