Business is continuous. Security should be too. The concept of monitoring information system security has long been recognized as sound management practice. Organizations review their information systems’ security controls to ensure that 1) system changes do not compromise security, 2) security plans continue to be effective after a change, and 3) security controls continue to perform as intended.
Continuous monitoring is better than a traditional periodic assessment or “snapshot” audit. By continuously monitoring transactions and controls, your weak, poorly designed, and poorly implemented controls can be corrected or replaced sooner rather than later, before they become a vulnerability threat. The benefits of continuous monitoring are not simply to comply with monitoring mandates. By using a continuous monitoring program, organizations can improve the quality and timeliness of decision-making as network security is aligned to key business objectives and managed holistically.
Continuous monitoring allows organizations to manage IT assets in a proactive manner by identifying risks and gaps in security posture before they become a crisis and by allowing IT professionals to react, repair, and maintain key business operations within the course of normal day-to-day operations.
Overall, organizations gain tighter risk control, better network assurance, an effective security posture, and reduced operations and compliance costs.
In the public sector, OMB and NIST mandates and standards require continuous monitoring. In the commercial sector, Payment Card Industry (PCI) standards, data breach laws, and regulations like Sarbanes-Oxley have requirements for continuous or regular monitoring of security controls. Although details of the mandates and regulations differ, they share common policy requirements pertaining to the need to continuously monitor to ensure that security controls are operating as expected and that boundaries around sensitive network data are secured.Industry and government compliance mandates go a long way toward addressing the issues of maintaining a secure IT infrastructure, as do policies and procedures that serve to guard against security breaches and block access to sensitive data. To be compliant, an organization must undergo an audit to ensure that its IT security controls are in place and functioning properly. Historically, IT audits have been snapshots-in-time don't match the true operational security posture of a network.
This is due, in part, to change is constant in large complex networks. Companies and agencies can fall out of compliance quickly, putting their network and data assets at risk of compromise. A continuous program is needed to monitor transactions and controls ensuring that compliance is effective on an on-going basis.There is an overall need for proactive, comprehensive security practices amongst organizations of all types. Every organization can benefit from monitoring its security controls on an on-going basis, resulting in up-to-date security and compliance status on IT infrastructure and critical assets in the form of real-time reporting that can be used to make immediate, cost-effective decisions that mitigate IT risk in information systems.Depending on the value of the data an organization is trying to protect and the mandates associated with the protection of that data, companies may not be required to implement a continuous monitoring program. However, the savings in expenditures, resources, and continued compliance may outweigh the costs of a once a year audit and the consequences associated with a security breach.