Frequently Asked Questions
- What do you know about continuous monitoring of IT security?
- Why is the concept of continuous monitoring important?
- Why is continuous monitoring important today?
- Why has it taken so long for continuous monitoring to take hold?
- What does continuous monitoring mean to your organization?
- How does RedSeal address continuous monitoring?
Continuous Monitoring is actually nothing new, as the National Institute for Standards and technology first defined the concept in May 2004. For almost a decade leading IT security regulators have been working with this key concept – moving away from sporadic testing of security infrastructure effectiveness to continual analysis of the ability of security systems to protect critical assets and data.
In today’s constantly changing network security environments, the ongoing support of business functions requires organizations to almost constantly alter their security device settings, creating the potential for new points of risk to be created, almost any time.
As a result, it's crucial for organizations to maintain constant visibility into their security standing to verify that they haven’t mistakenly opened a back door which could allow attackers to sneak in and steal, protected information, or somehow access systems that control vital services or functions.
In 2008 and 2009, the U.S. State Dept. first implemented continuous monitoring for its network security, finding that it could dramatically lower the expense of keeping its systems in compliance with the Federal Information Security Act. The State Dept. then recommended the process for all other federal agencies, and the White House OMB followed suit, leading to its inclusion in FISMA 2.0.
In addition to the clear need for such proactive, comprehensive security practices, federal regulators have set a deadline for all U.S. government agencies to adopt solutions for continuous monitoring by Dec. 31, 2012.
The OMB originally set the deadline for the previous year but this was revised in order to give agencies enough time to comply. In addition, industry experts including analysts at Gartner have predicted that driven by the government activity, private sector firms will also soon be required to implement continuous monitoring processes.
In many cases, practitioners have said that they do not fully understand the requirements for continuous monitoring, as evidenced in a survey completed by RedSeal in Dec. 2011, which found that only 28% of government IT security professionals believe they will have the right tools and processes in place to meet the 2012 federally mandated security monitoring requirements. In that same survey, only 33% percent of agencies said they expect to have the required solutions and processes in place on time to meet the White House deadline, yet 64% indicated that continuous monitoring will play a key role in strengthening their network defenses.
In general, continuous monitoring entails the process of proactively scoping risks posed to critical systems and data on an ongoing basis – versus thorough periodic assessment. More specifically, in the realm of network security, NIST defines continuous monitoring as testing frequently to determine if the complete set of planned, required, and deployed security controls within an information system or inherited by the system continue to be effective over time in light of the inevitable changes that occur.
That means testing on an ongoing basis to see if change has created holes in your network protection. A large portion of this also relates to vulnerabilities, and testing to ensure that change does not leave any previously discovered vulnerabilities open to potential attacks.
An unexpressed, but implicit, by-product of this reporting is that it allows security leaders to better manage many processes: plugging obvious security holes, eliminating known threats and vulnerabilities, denying unnecessary connections, keeping security policies up to date, and better enforcing security policies, to name just a few.
Only RedSeal proactive network security management solutions allow government and commercial organizations to automate continuous monitoring as outlined by NIST, advancing beyond mere device specific perimeter monitoring to proactive testing of overall network security standing.
With RedSeal, organizations can rapidly and efficiently address NIST's requirement to monitor "effectiveness of information security policies, procedures, and practices" via "automation of management, operational and technical controls."
By providing detailed visibility into the ongoing efficacy of infrastructure controls, RedSeal delivers the security monitoring and risk assessment capabilities required by government auditors to:
- Track the security state of information systems on an ongoing basis and maintain required access authorization
- Support FISMA requirements for assessment of security controls with a frequency depending on their importance in protecting critical assets
- Assess the security impact on information systems resulting from planned and unplanned changes to their hardware, software, firmware, or operational environment of operation