Standards bodies work with industries and provide extensive research into existing and future technology in order to facilitate and ensure reliable commerce.
The Development of Information Security Standards
Organizations such as National Institute of Standards and Technology (NIST) and the British Standards Institute (BSI) have been the thought leaders in the development of information security standards adopted by governments and organizations world-wide.
Industry and governmental compliance mandates go a long way to address the issues of maintaining a secure IT infrastructure, as well as policies and procedures to guard against security breaches and access to sensitive data.
To be compliant, an organization needs to undergo an audit to ensure that their IT security controls are functioning appropriately and that the policies and procedures are in place.
Snapshots of Security Posture
Unfortunately, IT audits are typically “snapshots” that happen infrequently and rarely reflect the true operational security posture of the network. This is due to the tremendous manual effort and associated costs required to:
Analyze the infrastructure, network devices and systems
Review and update the policies and procedures
The more complex the network, the greater the effort incurred. This has a direct effect on reducing the frequency of a manual audit and why they are mainly an annual or bi-annual event for most companies.
It is this lack of accurate, traceable data on network device configurations and the changes made to meet business requirements that can leave an organization open to attack, even if
they have complied with an audit just a few days prior. Change is constant in a large complex network and if not properly tracked or validated, it can incur significant risk.
Need to Prove On-going Effectiveness
It quickly became apparent to the US Government that even when compliant with mandates such as FISMA, agencies quickly fell out of compliance and became more open to the risk of having their network and data assets compromised. What was needed was a continuous program to monitor transactions and controls ensuring that compliance is effective on an on-going basis.
As networks grow, the device infrastructure and data systems that make up that environment become more complex and interconnected. New systems are added and older systems repurposed or withdrawn from the network as they reach their end of life. With thousands of network devices providing access across a continent, or in many cases globally, change is constant.
Additonal Layer of Oversight
Continuous monitoring offers an additional layer of oversight over the existing security architecture that can attest to the effectiveness of internal controls. This approach greatly lessens the workload on IT departments when an actual audit approaches, as a historical record of change control and validation is available to prove ongoing compliance with the required regulations.
Questions every organization needs to ask and answer include “Was I compliant last week?” and “Am I compliant now, six months after the audit?” with supporting analytics to prove the response. In order to do this, organizations must invest in automation, as a manual process cannot hope to achieve the level of performance required.