3.12.3 has a weight of -? points
(Security Assessment Family) 3/4
Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.
Example of Sysytem Security Plan (SSP):
System Security Plan: Ongoing Security Controls Monitoring
- Policy Statement: The organization implements continuous monitoring of security controls to ensure their ongoing effectiveness. This monitoring fosters constant awareness of threats, vulnerabilities, and information security, enabling risk-based decision-making.
- Purpose: Continuous monitoring programs assess security controls and information security risks regularly to support timely risk response actions.
- Frequency and Automation: Monitoring is conducted at a frequency that supports risk-based decisions, with automation facilitating more frequent updates to system information.
- Timely Risk Management Decisions: Ongoing access to security information through reports or dashboards empowers organizational officials to make effective and timely risk management decisions.
- Enhanced Effectiveness: Formatting monitoring outputs to be specific, measurable, actionable, relevant, and timely enhances their effectiveness.
- Guidance: Organizations follow [SP 800-137] for guidance on continuous monitoring.
Example of Plan of Action and Milestones ( POA & M):
Milestone 1: Policy Statement and Purpose
Develop a comprehensive policy statement that emphasizes the importance of ongoing security controls monitoring. Clearly outline the purpose of continuous monitoring, which is to ensure the ongoing effectiveness of security controls and support timely risk response actions. [Target Date]
Milestone 2: Frequency and Automation
Determine the appropriate frequency for conducting continuous monitoring, considering risk-based decisions. Identify areas where automation can be implemented to facilitate more frequent updates to system information and enhance monitoring efficiency. [Target Date]
Milestone 3: Monitoring Outputs Format
Develop a standardized format for monitoring outputs that aligns with the specific, measurable, actionable, relevant, and timely (SMART) criteria. Ensure that monitoring reports or dashboards provide clear and concise information to support decision-making. [Target Date]
Milestone 4: Timely Risk Management Decisions
Implement continuous monitoring practices that provide ongoing access to security information. Develop reports or dashboards that empower organizational officials to make effective and timely risk management decisions based on real-time or near-real-time data. [Target Date]
Milestone 5: Integration with Risk Management
Integrate ongoing security controls monitoring with the organization’s risk management processes. Ensure that monitoring data informs risk assessments and supports the identification and response to emerging threats and vulnerabilities. [Target Date]
Milestone 6: Guidance Implementation
Familiarize the organization with the guidance provided in [SP 800-137] for continuous monitoring. Train relevant personnel on the use of the guidance to establish an effective and standardized monitoring process. [Target Date]
Milestone 7: Monitoring Program Deployment
Deploy the continuous monitoring program across organizational systems and environments. Collaborate with relevant stakeholders to ensure the program’s successful implementation. [Target Date]
Milestone 8: Compliance and Performance Assessment
Conduct regular compliance checks to ensure that continuous monitoring practices align with the policy statement and guidance. Assess the performance and effectiveness of the monitoring program through feedback and stakeholder input. [Target Date]
Milestone 9: Continuous Improvement
Encourage continuous improvement by leveraging lessons learned from ongoing monitoring activities. Use feedback and insights to enhance the efficiency and effectiveness of the continuous monitoring process. [Target Date]
Milestone 10: Reporting and Communication
Establish a reporting and communication mechanism to share monitoring findings with relevant stakeholders, management, and decision-makers. Ensure that information is communicated in a clear and actionable manner. [Target Date]
RELEVANT INFORMATION:
Through continuous monitoring, the organization maintains a proactive security posture, responding promptly to potential threats and vulnerabilities. This approach ensures the sustained effectiveness of security controls and enhances the overall security of organizational systems and data.
Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and analyze security controls and information security-related risks at a frequency sufficient to support risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organizations. Providing access to security information on a continuing basis through reports or dashboards gives organizational officials the capability to make effective and timely risk management decisions. Automation supports more frequent updates to hardware, software, firmware inventories, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Monitoring requirements, including the need for specific monitoring, may also be referenced in other requirements. [SP 800-137] provides guidance on continuous monitoring.
Resources to consider:
Security Policy Document:
This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.
Asset Inventory and Access Control Sheet:
Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.
User Account Management Log:
Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.
Password and Multi-Factor Authentication Policy:
Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.
Process and Script Accountability Log:
Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.
Device Access Control and VPN Policy:
Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.
Access Control Review and Monitoring Schedule:
Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.
User Training and Awareness Materials:
Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.