What’s ISCM? (NIST SP 800-137)

First of all, it’s better to talk about what NIST is and why the content published by NIST is important. The National Institute of Standards and Technology (NIST) is a non-regulatory agency of the United States Department of Commerce. This Institute develops technology, metrics, and standards to drive innovation and economic competitiveness at U.S.-based organizations in the science and technology industry. For example, one of NIST’s roles is to develop guidelines on how companies can align with Federal Information Security Management Act (FISMA).The FISMA guidelines can be applied to almost any organization in both the public and private sectors. NIST’s regulations can help companies align with other compliance guidelines like HIPAA, SOX, ITAR, and more.

NIST provides guidance documents and recommendations through its Special Publications (SP) 800-series. Agencies must comply with NIST guidance, unless they are national security programs and systems.

In this post, we are going to review one of the most important SP 800-series articles: SP 800-137 (ISCM). The title of this article is: Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. This article was first published in September 2011. ISCM can being best thing for cybersecurity and risk management.

Continuous monitoring is one of six steps in the Risk Management Framework. ISCM provides ongoing assurance that planned and implemented security controls are aligned with organizational risk tolerance as well as the information needed to respond to risk in a timely manner should observations indicate that the security controls are inadequate. An enterprise could apply this approach to risk management by assessing the organization, integrating the risk management framework and establishing a security baseline based on the security control standards. The ISCM strategy and program support ongoing assurance that planned and implemented security controls are aligned with organizational risk tolerance, as well as the ability to provide the information needed to respond to risk in a timely manner.

There are three major areas in ISCM:

Manual vs. automated logging
Current technology available
Control sampling frequency

Publication 800-137 contains 80 pages. This document is organized in three chapters. These chapters are:

INTRODUCTION
THE FUNDAMENTALS
THE PROCESS

Source: nist.gov

———————————

Source:

This article is a summary from of the nist.gov website. With the following link:

NIST 800-137 (DOI)

For more info please refer to nist.gov

——————————–

The first chapter or the introduction includes the following parts:

Background: This section tells us what was the background and context for the publication of the 137-800 document. For example, it stating that: “Tools supporting automated monitoring of some aspects of information systems have become an effective means for both data capture and data analysis. Ease of use, accessibility, and broad applicability across products and across vendors help to ensure that monitoring tools can be readily deployed in support of near real-time, risk-based decision making.”
Relationship to Other Special Publications: This section describes the relationship of this publication with other publications, especially Publications SP 800-37 and SP 800-39. NIST SP 800-39 involves Managing Information Security Risk and it describes three key organization-wide ISCM activities: monitoring for effectiveness, monitoring for changes to systems and environments of operation, and monitoring for compliance. NIST SP 800-37 describes monitoring security controls at the system level and also includes an organization-wide perspective, integration with the system development life cycle (SDLC), and support for ongoing authorizations.
Purpose: In this section, the purpose of publishing this document is explained. The purpose of this guideline is to assist organizations in the development of an ISCM strategy and the implementation of an ISCM program.
Target Audience: This section describes who the target audience of this document is. These audiences are: Individuals with mission/business ownership responsibilities or fiduciary responsibilities, Individuals with information system development and integration responsibilities, Individuals with information system and/or security management/oversight responsibilities, Individuals with information system and security control assessment and monitoring responsibilities, and finally individuals with information security implementation and operational responsibilities.
Organization of This Special Publication: It include chapter 2, chapter 3, general references, definitions and terms, acronyms, and descriptions of technologies for enabling ISCM.

The second chapter, the “The Fundamentals” chapter describes the fundamental concepts associated with organization-wide continuous monitoring of information security and the application of ISCM in support of organizational risk management decisions. ISCM helps to provide situational awareness of the security status of the organization’s systems based on information collected from resources (e.g., people, processes, technology, and environment) and the capabilities in place to react as the situation changes.

Anyway, this chapter consists of four parts as follows:

Organization-wide View of ISCM: In this section, different tiers of organization-wide ISCM are introduced. These tiers are: (1) Organization, (2) Mission/Business Processes, and (3) Information Systems. Tier 1 governance, risk management goals, and organizational risk tolerance drive the ISCM strategy. The Tier 2 criteria for continuous monitoring of information security are defined by how core mission/business processes are prioritized with respect to the overall goals and objectives of the organization, the types of information needed to successfully execute the stated mission/business processes, and the organization-wide information security program strategy. Also, data collection occurs at the information systems tier.
Ongoing System Authorizations: Initial authorization to operate is based on evidence available at one point in time, but systems and environments of operation change. Ongoing assessment of security control effectiveness supports a system’s security authorization over time in highly dynamic environments of operation with changing threats, vulnerabilities, technologies, and missions/business processes. The process for obtaining system authorization, and more generally, for managing information security and information system-related risk, is the risk management framework.
Role of Automation in ISCM: The automation of information security deals primarily with automating aspects of security that require little human interaction. Automated tools are often able to recognize patterns and relationships that may escape the notice of human analysts, especially when the analysis is performed on large volumes of data. This includes items such as verifying technical settings on individual network endpoints or ensuring that the software on a machine is up to date with organizational policy. Automation makes security-related information readily available in an environment where ongoing monitoring needs change. When determining the extent to which the organization automates ISCM, organizations consider potential efficiencies of process standardization that may be gained with automation, and the potential value (or lack of value) of the automated security-related information from a risk management perspective. Finally, you must know it is not possible to fully automate all of an organization’s information security program functions.
ISCM Roles and Responsibilities: This section describes the roles and responsibilities of key participants involved in an organization’s ISCM program. Roles and responsibilities commonly associated with ISCM include: Head of Agency, Risk Executive, Chief Information Officer, Senior Information Security Officer, Authorizing Official, Information System Owner, Common Control Provider, Information System Security Officer, and Security Control Assessor.

The third chapter, the “The Process” chapter describes the process for developing an ISCM strategy and implementing an ISCM program including activities at the organization, mission/business process, and information systems tiers. The process for developing an ISCM strategy and implementing an ISCM program is as follows:

Defining the ISCM strategy: Effective ISCM begins with development of a strategy that addresses ISCM requirements and activities at each organizational tier (organization, mission/business processes, and information systems). Each tier monitors security metrics and assesses security control effectiveness with established monitoring and assessment frequencies and status reports customized to support tier-specific decision making. In this section, there are instructions for each of the three tiers.
Establishing an ISCM program: Goals of this program include detection of anomalies and changes in the organization’s environments of operation and information systems, visibility into assets, awareness of vulnerabilities, and knowledge of threats, security control effectiveness, and security status including compliance. This program include these components: (1) determine metrics, (2) establish monitoring and assessment frequencies, and (3) develop ISCM architecture.
Implementing an ISCM program: ISCM is implemented in accordance with the strategy. Security-related information (data) is collected, security control assessments are conducted, and the security-related information generated is reported in accordance with organizational policies and procedures. The data collected is assembled for analysis and reported to the organizational officials charged with correlating and analyzing it in ways that are relevant for risk management activities. Discrete security processes inform and are informed by ISCM data. Examples of processes that inform and are informed by ISCM include, but are not limited to, patch management, asset management, license management, configuration management, vulnerability management, and system authorization. The ISCM data output from one process may serve as input to many others.
Analyzing data and report findings: Organizations develop procedures for analyzing and reporting assessment and monitoring results. This includes the specific staff/roles to receive ISCM reports, the content and format of the reports, the frequency of reports, and any tools to be used. Also included are requirements for analyzing and reporting results of controls that are not easily automated. This phase include three components: (1) Analyze data, (2) Report on security control assessments, and (3) Report on security status monitoring.
Responding to findings: This process at all tiers may include risk mitigation, risk acceptance, risk avoidance/rejection, or risk sharing/transfer, in accordance with organizational risk tolerance. In this process, security controls that are modified, enhanced, or added as part of the response step of the continuous monitoring process are assessed to ensure that the new or revised controls are effective in their implementations. Response strategies may be implemented over a period of time.
Reviewing and updating the monitoring program and strategy: these strategies and programs are not static. Security control assessments, security status metrics, and monitoring and assessment frequencies change in accordance with the needs of the organization. The continuous monitoring strategy is reviewed to ensure that it sufficiently supports the organization in operating within acceptable risk tolerance levels that metrics remain relevant, and that data is current and complete.