Information Security
Continuous Monitoring
(ISCM)
Department of Information Resources (DIR)March 2019
As used in this document, “Deloitte” means Deloitte & Touche LLP and its subsidiaries. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte & Touche LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.
This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this presentation.
Copyright © 2019 Deloitte Development LLC. All rights reserved. 2
Introduction to Information Security Continuous Monitoring (ISCM)
Maintain ongoing security awareness, vulnerabilities, and threats to enable organizational risk management decisions:• Collect information based on
established metrics utilizing information readily available in part through implemented security controls
• Regular (and as often as needed) data analysis to manage risk as appropriate for each organizational tier
National Institute of Standards and Technology (NIST)• Special Publication (SP) 800-
137 (“Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations”)
• Special Publication (SP) 800-37 (“Risk Management Framework”) – core of ISCM
• Interagency Report (IR) 8011 (“Automation Support for Security Control Assessments”)
Enables data-driven control of organization’s cybersecurity posture through• Increased visibility into assets and
awareness of vulnerabilities• Improve and mature architectures,
operational capabilities, and monitoring processes to accelerate response to threats and incidents
• Aligns to threat landscape and organization’s priorities through periodic revision of ISCM strategy and program
• Prioritization of investments, resources and focus based on risk levels and posture
• Review and improve process efficiencies.
Texas Administrative Code (TAC) 202 and House Bill 4214 (Draft)
What? Guiding Principles
Benefits
Texas Regulations
Source: National Institute of Standards and Technology
Copyright © 2019 Deloitte Development LLC. All rights reserved. 3
NIST Risk Management Framework – The Core of ISCM
Step 1CATEGORIZE
Information System
Step 2SELECT
Security Controls
Step 3IMPLEMENT
Security Controls
Step 4ASSESS
Security Controls
Step 5AUTHORIZE
Information System
Step 6MONITOR
Security Controls
PREPARE
Categorize system and the information processed, stored, and transmitted by the system based on an analysis of the impact of loss
Initial set of controls for the system and tailor the controls as needed to reduce risk to an acceptable level
Enable controls and describe how the controls are employed within the system and its environment of operation
Determine if the controls are implemented correctly, operating as intended, and producing the desired outcomes
Authorize system or common controls based on a determination that the risk is acceptable
Monitor system and the associated controls on an ongoing basis and reporting the security and privacy posture
Source: National Institute of Standards and Technology
Copyright © 2019 Deloitte Development LLC. All rights reserved. 4
Organization-Wide ISCM and Risk Management Approach
TIER 1
ORGANIZATION
MISSION/ BUSINESS PROCESSESCollection/ Correlation/
Analysis/ Reporting
TIER 2
Data
Data
Tools
Tools
INFORMATION SYSTEMSCollection/ Correlation/
Analysis/ Reporting
TIER 3
Prioritization of core mission/business processes with the overall goals and objectives
Enable successful execution of the stated mission/business processes, and the organization-wide information security program strategy.
Risk Tolerance/ Governance/
Policies/ Strategy
Define the organization’s risk management strategy, including how the organization plans to assess, respond to, and monitor risk, and the oversight required for an effective risk management strategy
Make risk management decisions in support of governance.
Enable system-level security controls are implemented correctly and operate as intended
Produce the desired outcome with respect to meeting the security requirements for the system, and continue to be effective over time
Source: National Institute of Standards and Technology
Copyright © 2019 Deloitte Development LLC. All rights reserved. 5
Building Blocks for ISCM Program
Foundation - Tools and Sensors
Assets Identity Network Security Data Protection Risk and Privacy
Collection and Integration
Agency Level OperationalDashboard and Reporting
Devices Network
Cloud Endpoints
Users & Access
Priv. Users
Incident Response
Perimeter
Event Mgmt
Defense in depth
Ongoing Authorization
Threat Intelligence
Endpoint protection
Vulnerability Scans
Data Loss Prevention Risk Register
Data disclosure
Config. Mgmt
Software
Data breach
eDiscovery
Anti-Virus & Malware
Integrated Collection and Aggregation
Enterprise and other agencies
Intelligence Sharing
Patching
Enterprise Level OperationalDashboard and Reporting
External sources
Intelligence Sharing
Legislative Reporting
Risk Scoring & Prioritization
Source: National Institute of Standards and Technology, and Department of Homeland Security
Copyright © 2019 Deloitte Development LLC. All rights reserved. 6
Yr 1Q4 Q3 Q4
Yr 3
Q1 Q2
Establish a ISCM workgroup Approve ISCM Technical
Architecture Identify ISCM Metrics Establish strategy and
roadmap
Finalize Standard Operating Procedures (SOPs)
Complete agency integration of assets layer
Publish ISCM Dashboard at agency level
Continue integration with enterprise
Implement Strategy to Advance the ISCM Program’s Maturity
Publish policies (local and enterprise) Develop Operational Architecture Complete agency integration of network
security layer Publish ISCM Dashboard at agency level ISCM Skills, Knowledge, and Resources Start integration with enterprise Start development of ISCM Training Materials
Develop an ISCM Communications Plan Identify and Develop Requirements (e.g., required
metrics for external reporting, frequency, etc.) to Advance the ISCM Program’s Maturity
Identify ISCM-specific Dashboard Requirements Complete ISCM Policy Updates Determine requirements to Integrate with
enterprise
Complete agency integration of data protection layer
Publish ISCM Dashboard at agency level
Complete ISCM training materials Continue integration with enterprise
Typical Roadmap
Q2 Q1Q4 Q3
Complete agency integration of risk and privacy layer
Publish ISCM Dashboard at agency level Prepare to integrate ongoing authorizations
(authority to operate) Continue integration with enterprise
Operationalize pilot for ongoing authorizations (authority to operate)
Start agency integration of identity layer
Publish ISCM Dashboard at agency level Continue integration with enterprise
Rollout enterprise ongoing authorizations (authority to operate)
Pilot agency integration of identity layer
Publish ISCM Dashboard at agency level
Continue integration with enterprise
Rollout enterprise ongoing authorizations (authority to operate)
Continue agency integration of identity layer
Publish ISCM Dashboard at agency level
Continue integration with enterprise
Q3 Q4Q1 Q2
Continue to expand integration Continue to expand integration Continue to expand integration Continue to expand integration
Yr 2
Yr 4
Copyright © 2019 Deloitte Development LLC. All rights reserved. 7
(b) Each state agency shall: (1) Develop and maintain an information security continuous monitoring program that:
A. Allows the agency to maintain ongoing awareness of the security and vulnerabilities of and threats to the agency's information resources
B. Provides a clear understanding of organizational risk and helps the agency set priorities and manage the risk consistentlyC. Addresses how the agency conducts ongoing authorizations of information resources technologies and the environments in
which those technologies operate, including the agency's use of common controlsD. Aligns with the continuous monitoring guidance, cybersecurity framework, and risk management framework published in
NIST Special Publications 800-137 and 800-53E. Addresses critical security controls, including hardware asset management, software asset management, configuration
management, and vulnerability managementF. Requires the integration of cybersecurity products
(2) Establish a strategy and plan to implement a program for the agency(3) To the extent practicable, establish information security continuous monitoring as an agency-wide solution and deploy enterprise information security continuous monitoring products and services(4) Submit specified security-related information to the dashboard established under Subsection (c)(3)(5) Evaluate and upgrade information resources technologies and deploy new products, including agency and component information security continuous monitoring dashboards, as necessary to support information security continuous monitoring andthe need to submit security-related information requested by the department(6) Require that external service providers hosting state information meet state information security requirements for information security continuous monitoring(7) Ensure the agency has adequate staff with the necessary training to meet the objectives of the program
Expectations of House Bill 4214 (Draft) – Agency Role
Copyright © 2019 Deloitte Development LLC. All rights reserved. 8
(c) The department shall:
(1) oversee the implementation of this section by each state agency
(2) monitor and assist each state agency in implementation of a program and related strategies
(3) establish a statewide dashboard for information security continuous monitoring that provides:
A. A government-wide view of information security continuous monitoring; and
B. technical specifications and guidance for state agencies on the requirements for submitting information for purposes of the dashboard.
Expectations of House Bill 4214 (Draft) – DIR Role
Copyright © 2019 Deloitte Development LLC. All rights reserved. 9
Fiscal impact considerations
Tools and Sensors
Collection and Integration
Agency Level Operational Dashboard and Reporting
Key components for fiscal impact• Log aggregators and SIEM• Configuration, analysis and monitoring services
Key component for fiscal impact• Business analytics tools• Configuration, analysis and monitoring services
Key component for fiscal impact• Tools and services not currently available to agencies
Enterprise Level Operational Dashboard and Reporting
Copyright © 2019 Deloitte Development LLC. All rights reserved. 10
Example Dashboard
Copyright © 2019 Deloitte Development LLC. All rights reserved. 11
Please reach out to DIR Security for [email protected]
About DeloitteDeloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. In the United States, Deloitte refers to one or more of the US member firms of DTTL, their related entities that operate using the “Deloitte” name in the United States and their respective affiliates. Certain services may not be available to attest clients under the rules and regulations of public accounting. Please see www.deloitte.com/about to learn more about our global network of member firms.
Copyright © 2019 Deloitte Development LLC. All rights reserved.