3.2 Monitoring System, Controls and Changes

00:00

Mhm.

00:01

All right, welcome back to the risk management Framework for executive management.

00:05

This is less than 3.2 monitoring the system control and changes.

00:12

So are learning objectives for this video. We're gonna be talking about where the monitoring set fits into arm. F what tasks are associated with the monitoring step

00:21

and what executive leadership can do to support the successful monitoring of systems.

00:28

So we're going to talk about the definition here of the monitoring step from the Nist sp 837.

00:33

The purpose of the monitor step is to maintain an ongoing situational awareness about the security and privacy posture of the information system and the organization in support of risk management decisions.

00:47

So, monitoring tasks, we're gonna be talking about system and environment changes, ongoing assessments, ongoing risk response authorization package updates, security and privacy reporting,

01:00

ongoing authorization and finally system disposal.

01:07

So some of your potential inputs for the system or environment changes, uh your organizational continuous monitoring plan,

01:15

your configuration management, policy change requests, approval, system design. You're going to be taking all of these plans um with hoping to create updated plans, updated poems, updated assessment reports so you can take all this information and really updated. Make sure that we understand what system and environment changes are going on.

01:34

So that responsibility is ultimately going to lie with the system owner as well as the senior security and privacy officers with support provided by risk management executives, the A or Disney official and some security or privacy officers depending on if you need technical input.

01:53

So when we're talking about ongoing assessments, we're going to take all of the potential inputs that we had from the other task are common strategy. From our organizational and system level. Our assessment plans are poems. Um and we're gonna hope to pull that together and create an updated security and privacy assessment report.

02:12

So we're gonna pull all that together and update them

02:15

with what's going on in our environment. So the primary responsibility is going to fall on the control assessor

02:23

with support provided by the AO system owner. Information owner or security or privacy officials that may be able to provide uh not only support but technical expertise on their system.

02:37

All right, So who is primarily responsible for documenting system changes?

02:43

So, as we see in our previous steps here, the system owner is really really going to be heavily involved in updating poems, updating any security and privacy plans related to their systems. The system owner has a lot of responsibility when it comes to um

03:00

what's going on in their system and documenting changes.

03:06

So when we're looking at the ongoing risk response task,

03:09

our inputs, we're again we're gonna be taking our security and privacy assessments are Organ System Level Risk assessment results. Any poems? We have outstanding poems and we're going to have the output of mitigation actions, risk acceptance decisions and updated report. So we're going to take all that information to make sure we're updating it

03:30

to make sure that we're responding to risk properly.

03:34

So the primary responsibility that's going to fall on the A. O. The system owner or the common control provider

03:39

with supporting roles provided by risk executives, Security and privacy officers. Engineers, architects. Anyone who understands really um this system architecture.

03:53

So our authorization package updates are potential inputs are going to be security and privacy assessments, organization and system level Risk assessment results are poems. So a lot of those same inputs that we took before um the expected outputs is just to update all that documentation.

04:09

So when we're talking about our authorization package we need updated documentation. We need to make sure we're continuously looking at this

04:15

again with the primary responsibility falling on the system owner as well as the common control provider uh with support provided by information owners. So this is going to be more lower level security privacy officers, People who might be helping with the system again with ultimate responsibility on the system owner.

04:34

So quiz. Why are poems so important to the continuous monitoring? Step

04:40

poems are so important because it helps us to get an idea of what risk we had when we initially authorized the system and then to say, okay, are we able to mitigate those risks as we go along in time? Are we able to fix things as we go along?

04:54

You know, how many poems do we have open? What's our risk? Are we able to lower risk by closing some of those poems? So it's good to have an idea of what your plan of action is and really where your milestones are and if you're hitting those.

05:09

So security and privacy reporting

05:11

some of your potential inputs. Again, you're gonna be looking at your security privacy assessments, your results and your poems. Pulling all that together again to create updated security and privacy posture reports. Uh So we want to understand the posture of our system in our organization when it comes to security and privacy.

05:30

So primary responsibility that's going to fall on the system owner as well as the common control provider. Again, depending on what organization,

05:38

what type of organization you are

05:40

as well as support provided by security and privacy officers.

05:46

So when we're talking about ongoing authorization, you know, this could be uh saying, you know, once a year we're going to re evaluate the system and make sure that we're going to keep that A. T. O. Up to date. Uh So you're going to take everything from the risk tolerance levels, Security posture reports, poems risk assessments

06:05

with the hope that you're gonna get the output of determining that risk that updated risk an ongoing 80 or 80 you the authorization to use or ongoing denial of use. You know, maybe he spent six months and things didn't get fixed the way they were supposed to. Maybe you need another six months before we can get that A. T. O.

06:23

With primary responsibility following on the authorization official as well as support provided by risk management executives, senior security and privacy officers and designated representative might be helping with the ongoing authorization.

06:38

Okay. And finally, system disposal. Uh So potential inputs for this are going to be everything that we did before. Plus a system inventory. We've got to have a really good up to date comprehensive system inventory

06:49

with our output of having a disposal strategy, updated system inventory, hopefully accurate as well as updated security and privacy plans.

07:02

And the primary responsibility again is going to fall in the system owner because they're ultimately going to have to be the one that says yes, this system was sanitized, We're okay with getting rid of it. Uh It follows our disposal strategy. Let's go ahead and move on

07:15

with support provided by the AO security and privacy officers or again your risk management executives.

07:24

So executive review, some of the main takeaways, um

07:28

you can really influence the conman strategy, continuous monitoring strategy at the organizational or executive level. Uh You know, you really have the opportunity to say, you know what I want? My systems re 80 oh every year I want to make sure that every year they've got a new 80 or a continuous 80 oh to say, yep, this system is still as secure as I thought it was a year ago.

07:47

Using a top down approach can really influence how well the step works. You'll be able to say from the top as an executive manager, ceo Ceo, you know, make sure we're adding RMF into this process. We need to make sure that we're continuously monitoring the system and that if things are thrown away, we know that things are thrown away their disposed properly

08:07

um and understanding the possible impacts on the business strategy, so understanding how it affects

08:13

budget strategy, mission, all of those things where we're thinking about the organization

08:18

and then budgeting for potential monitoring tools or a team which we need to perform this step.

08:24

So really having a great team and great tools to help support, to make sure that your environment is constantly secure in securing the way that you think it should be secure.

08:37

All right. So in today's video, we talked about what the monitoring step in RMF means all the tasks that are associated with the monitoring step,

08:46

how a conman or continuous monitoring strategy can improve security in an organization

08:52

and how executive leadership can play a role in the monitoring step.

08:58

So, in this series, you know, we really talked about every step in the RMF. You know, how they all play together to really help create a cohesive risk management strategy. You know, you can really use RMF from the executive level to help secure

09:15

your systems and help to reduce budget and reduce time in your projects just to make sure that you're not adding things at the end.