A key component of the Enterprise Risk Management Program framework is the development and implementation of a Continuous Monitoring Program:

• Continuous Monitoring Program model drives efficiencies and is what we consider “Next Generation Certification and Accreditation”
• Built on and maps to National Institute of Standards and Technologies and Federal Information Processing Standards specifications and scales easily to organizational policies and procedures
• Continuous Monitoring of the operational environment is essential to maintaining a strong security posture
• Continuous Monitoring is required for a myriad of reasons:
  • Accredited systems require periodic recertification
  • Changes made to approved configurations of production systems
  • Evolving threats and vulnerabilities
  • Periodic reporting requirements to Business Stakeholders and IT Infrastructure
  • Release of Application and Operating System Patches
  • Users inevitably fail to follow policies and procedures

Continuous Monitoring Program brings together:

• Asset Management/Infrastructure Inventory
• Certification & Accreditation  (Recertification of accredited systems)
• Security Test & Evaluation
• Plan of Action & Milestone (POA&M) management
• Vulnerability Scanning
• Patch Management/Configuration Management
• FISMA and IT Audit Reporting
• A planned approach and prioritized schedule should be developed as part of this process
• Too time consuming and resource intensive to monitor all systems
• Use the FIPS 199 System Categorization process to focus on High and Moderate Impact Systems

www.bestitdocuments.com