1

Mission Critical Global Technology Group

(MCGlobalTech)

Information Security Continuous Monitoring

Within A Risk Management Framework

2

Why Federal Information Security is Evolving

10 Million Cyber attacks daily at Department of Energy

400%+ Increase of cyber attacks since 2006

Foreign Intelligence organizations trying to hack into our military’s digital networks 100

80% Attacks leveraging known vulnerabilities & configuration setting weaknesses

3

Why Federal Information Security is Evolving

Security Incidents are increasing. IT Environments are in constant change. Risks need to be continuously assessed.

4

Organization Wide Risk Monitoring

5

Risk Management Framework (ISCM View)

6

Information Security Continuous Monitoring Strategy

7

Information Security Continuous Monitoring Steps Step 1 - Define Strategy: Effective ISCM begins with the development of a addressed the ISCM requirements and activities at each organizational tier; (Tier 1, Tier 2, Tier 3)

•  Tier 1 – The risk mitigation strategy; executives must determine the

overall organizational risk tolerance and risk

•  Tier 2 – Information generated from Tier 1 (Governance, Policy, Risk Tolerance, Strategy, etc.) is communicated to staff / business units owner, and process owner, to enable the reflect and implementation of the ISCM strategy in there is system and processes;

•  Tier 3 – The ISCM is implemented to support risk management and risk tolerance at all three tier.

8

Information Security Continuous Monitoring Steps Step 2 – Establish Measures and Metrics:

•  Goals, detect security anomalies, changes in IT operations, Information Systems, vulnerabilities awareness, control effectiveness, security status; control ongoing risk to the organization;

Step 3 – Establish Monitoring and Assessment Frequencies: •  Organization determine the frequencies each security control is

assessed. The data generated with different latencies is used to create a holistic view of the security disposition

Step 4 – Implementing the ISCM Program •  Data is collected for predefined metrics, security control assessments

are conducted, and this information is reported and used in accordance with organizational policies and procedures;

9

Information Security Continuous Monitoring Steps Step 5 – Analyze Data and Report Findings:

•  Organization must develop procedures for analyzing and reporting assessment and monitoring results. This will includes the content and format of reports, frequency of reports, tools that are used, and most importantly requirements for analyzing and reporting the results of controls;

•  Organizational officials should review the analyzed reports to determine whether to conducts mitigations activities or to transfer, avoid / reject or accept the risk;

Step 6 – Respond to Findings: •  Repose to findings at all tiers may include risk mitigation, risk

acceptance, risk avoidance, or risk sharing in accordance with organizational tolerance.

10

Information Security Continuous Monitoring Steps Step 7 – Review and Update Program:

•  Security controls assessments, security status metrics, and monitoring frequencies change according to the needs of the organization;

•  The ISCM strategy should be reviewed to ensure it is sufficiently supports the organization and is operating within acceptable risk tolerance levels; that metrics remain relevant, and data is current and complete.

11

ISCM Recommendations for The Leadership Team Recommendations on ISCM for Leadership:

•  Anchor to a specific risk framework or approach (i.e., NIST 800-137) •  Develop risk ranking / scoring methods; •  Prioritizes security projects, actions, and investments according to risk

rank; •  Maintain situational awareness of all information systems and functions

across the organization; •  Support a clear view and understanding of threat activities; •  Continuously re-evaluate security controls, frequencies, and security

program; •  Collect and analyze meaningful information security related data; •  Communication Security status across all tiers of the organization; •  Organization executives must have an active role in risk management;

12

Executive Summary

•  The combination of preventive and detective monitoring controls is important in building an effective continuous monitoring program;

•  The successful implementation of a continuous monitoring program will require common commitment through leadership support, authorizing official enforcement, and system owner responsibility;

•  A well designed and implemented continuous monitoring program can improve the quality of agency information security programs by providing management with current, meaningful information on the security posture of their IT assets;

13

Contact Information

Mission Critical Global Technology Group

1776 I Street, NW 9th Floor

Washington, District of Columbia 20006 Phone: 571-249-3932

Email: Info@mcglobaltech.com

William McBorrough Morris Cody Managing Principal Managing Principal wjm4@mcglobaltech.com mcody@mcglobaltech.com