Welcome back to the Dear de Bris management framework. Siri's I'm Mike Redman Walking you through step by step your successful implementation off the D. O D risk management framework. We've made it to the end. Step six.
The Monitor step The goal of this section is for you to be able to manage control and document changes
to your information system and its environment. Implement the correct forms and patches when this situation calls for it. Select or support the selection of the appropriate assessment. Rolls state the characteristics of a good performance, measures
and report or react to the reporting of vulnerabilities and mitigation,
as well as knowing how and when to decommission an information system.
For those of you studying for the I. S C squared cap exam review the requirements of the continuous monitoring of system controls. This is a vital step in the risk management framework. So within the monitors step, there are seven core tasks.
Information system and environment changes,
ongoing security control assessment, ongoing re mediation actions, key updates, security status reporting ongoing risk of determination and acceptance and information system removal and did commissioning.
So let's begin by setting some rules for continuous monitoring.
First Lear, real time risk management. Next ongoing updates to the security plan, this sorrow or security assessment report and the poem
next reducing the level of effort needed for reauthorization. Remembering the goal is continuous authorization
and finally scaled with the information systems impact level. First, we'll look at the information system and environment changes. This is where we identify and document and conduct the impact analysis. We identify corrective actions for the information system itself
and ensure that all appropriate documentation has been revisited. The primary task odor here is the information system owner and the common controls provider.
So when we began the configuration management process, everyone thinks, of course, of tools of computers of monitoring. And one of the tools available to you is thesis, acuity, content, automation, protocol or scrap. It's a suite of specifications for ongoing and
expressing security related information in a standardized way.
You should ensure that all your system administrators and network administrators, I s s O cze, and so forth are familiar with and use the scab viewer that you can download it from I s C doc disa dot mil. So the attempt in the desire is to automate as much as possible
to do this. We have several
tools and references to data sources like Scab, which we just talked about. What can be automated Wis Cap and how it is to be implemented is going to differ from organization toe organization. Remember, this capital will only be able to look
at this system configuration itself.
It cannot make a determination on the environment that the system lives. Next, you have national vulnerability database data, the N V D plus security configuration checklist. Some people will call this the secure vendor baseline again.
These are just tools to help automate as much as possible the continuous monitoring step.
Understand that Scott is there to compliment security assessments, make them faster and more efficient, not replace them. Automated reporting and monitoring is still a requirement, and many organizations are still trying to figure this part out.
Some use, for instance, e mass for system status
and then, for instance, a cast and messes for vulnerability. Scanning. Understand? Again, these are just simple tools. They're dumb tools. They don't know where the system is. 70% of continuous monitoring is in fact physical
vamp princes to the open checklist. Interactive language. It's a partially automated monitoring solution with the express determination of statements in a format compatible with scrap. So when we talk about continuous monitoring, what are we really say?
We're identifying the organization's overall risk, tolerance or appetite.
We identified the enterprise architecture itself, the security architecture as well as security configurations, plans for changes to the enterprise, architecture and any available threat information. Remember, it is cyclical. Define, establish, implement,
respond and review and update. So since we're here, we'll talk about the overall role of automation within a continuous monitoring plan. Be sure to give all due consideration to the proper tools, ensuring that they're capable of
pulling information from a variety of resource is
toe, identify specific specifications and mechanism thin the information system itself using open specifications. Such a scab is important, especially for interoperability, and ensure that whatever tool you select can support overall compliance with any applicant. Will federal laws, regulations, standards or
This is especially important when dealing with, for instance, privacy data and health data. And of course, it should go without saying that any continuous monitoring tool should be able to provide reporting
with the ability to Taylor that output, and you should consider whether or not the tool is capable off data consolidation inside it they SIM Tool.
Here's a list of some other sources and technologies that you should be familiar with within continuous monitoring, such as this CW or common weakness and admiration or the CW SS. The common weakness. Scoring a system or the cap. See
the common attack pattern in new Marais, shin and classifications
and the male IC. The malware attributes in new Marais shin characterizations these air, some outstanding tools and resource is that provide valuable input to system vulnerabilities.
Next, we'll deal with ongoing security control assessments again, a core element and ongoing authorization. This simply indicates that each security control should be addressed as a subset to the hole. It should not be done once a year, but on a rotating basis.
It should also be done or assisted with independent assessors.
We spoke about howto identify independence with your validators and then always keep a history and reuse prior assessment results. It gives you an indication as to the overall health over the information systems lifetime. Are you getting better or are you getting worse.
And like with any other criteria, whatever criteria you assess by, it must be performance based measurable. What we look for when we look at performance measures are quantifiable information based on readily attainable data, repeatable information
useful for tracking the overall performance as well as directing Resource is next. We have our ongoing remediation actions.
This is your poem. This is maintaining the health status and plan of action in milestones to correct weaknesses as they are identified not only in the risk assessment but through ongoing control assessment as they occur over the course of the information systems life cycle.
The primary owner of this task again is the information system owner and the common controls provider. Next you have your status reporting. This is the update of the poem. New vulnerabilities are identified all the time. Once they are identified,
see if they apply to your information system.
And if they do make an entry in the living poem, it's not a bad thing to have issues that you need to work through a plan of action in milestones. It's only bad when you ignore it
again. All of this feeds into the utopian goal of ongoing risk, determination and acceptance. The goal of not having to do the 36 month fire drill over and over again. If we do an adequate job of continuous monitoring, looking at security controls
and a cyclical fashion, we can reach the goal of ongoing authorization. And finally we have information system removal and Decommissioning.
This is tricky steps sometimes because we really don't like throwing things away. However, reuse is kind of the same as Decommissioning. But remember, everything has a life cycle. Everything should be born and then eventually die,
making way for newer,
better technologies, processes and procedures. One of the key aspects when it comes to system Decommissioning is media sanitization. How are you going to do it? Remembering that different media requires different types of attention?
For instance, some data might be on magnetic media versus optical versus electrical.
Other media might be on hard copies or Elektronik copies. How are you going to get rid of it? It must be identified, for instance, and the continuous monitoring plan not only how the machine is going to live, but how the data ultimately is going to be disposed off
when it comes to disposal. There are five key parts of the building and execution of a disposal plan. The information preservation steps, media sanitization hardware and software disposal
and then system closure. When it comes to sanitization decisions.
First, you must consider the security. Categorization is some media, and some mediums can be disposed of in some fashions and others, and another then looking at the cost benefit analysis. Do you really need to reuse that hard drive, or
is it just more cost effective to
destroy it and buy a new one? Are there any environmental factors that you need to take into account, For instance, the type and size of the media storage itself, Any confidentiality of the data stored entitle, sanitization and external issues that might arise,
the volume of the media that needs to be accounted for
and the level of training four sanitization personnel? It is sometimes a very specific skill when it comes to getting rid of data, and then, finally, the potential for reuse or recycling. Like I said, sometimes and most often,
hard drives don't need to be recycled. Hard drive space is cheap
is sometimes it's just best to destroy the hard drive and get a new one rather than risk cross contamination, regardless of the sensitivity of the data. Well, there we have it. We've reached the end
all six steps. I'm sure you were taking notes as you went, and now you're ready to go out and taco the risk management framework. Some final parting thoughts for you.
The risk management framework itself can look daunting. It can look like a large mountain to climb. However, when you really get into it, it's not that difficult. Sure, there are lots of moving parts, but once we get the entire security community
wrapped around their processes and their pieces,
it all actually does move very smoothly. But that requires everyone to do their part. This is no longer just I tease problem. This is the entire organizations issue. I'm sure that you will be successful. However, if you do need help,
feel free to reach out
Good luck. I'll see you next time