Email this Article Email   

CHIPS Articles: Assessing Information Security Continuous Monitoring Effectiveness

Assessing Information Security Continuous Monitoring Effectiveness
NIST Special Publication 800-137A Now Available
By CHIPS Magazine - May 27, 2020
Federal agencies are directed to implement a program to continuously monitor their organizational information security safeguards. NIST Special Publication (SP) 800-137, Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations, provides guidance on developing an ISCM program — a comprehensive continuous monitoring program that serves as a risk management and decision support tool to be used across each level of an organization.

Now NIST releases SP 800-137A, Assessing Information Security Continuous Monitoring (ISCM) Programs: Developing an ISCM Program Assessment, which describes an approach to developing program assessments to evaluate ISCM programs established in accordance with NIST SP 800-137.

An ISCM program assessment provides organizational leadership with information on the effectiveness and completeness of the organization’s ISCM program, including a review of ISCM strategies, policies, procedures, and operations. An ISCM program assessment developed under the guidance in SP 800-137A evaluates the ISCM program itself (i.e., the structure and governance of the ISCM program) rather than the results of the ISCM program or the continuous monitoring technologies used.

Creating, adopting, or using an ISCM program assessment can help reduce the overall risk to organizations by identifying gaps in an ISCM program, in the implementation of an ISCM program, or in the operational use of ISCM results. The ISCM assessment approach can be used as presented or as the starting point for an organization-specific methodology. It includes an ISCM Program Assessment Element Catalog with example evaluation criteria and assessment procedures that can be applied to organizations.

An ISCM program assessment provides organizational leadership with information on the effectiveness and completeness of the organization’s ISCM program, including the review of ISCM strategies, policies, procedures, operations, and analysis of continuous monitoring data. The ISCM assessment approach can be used as presented or as the starting point for an organization-specific methodology. It includes example evaluation criteria and assessment procedures that can be applied to organizations.

To enhance usability, the ISCM Program Assessment Catalog is provided as a separate MS Excel file. See the publication details for a link to the publication and catalog.

Related CHIPS Articles
Related DON CIO News
Related DON CIO Policy

CHIPS is an official U.S. Navy website sponsored by the Department of the Navy (DON) Chief Information Officer, the Department of Defense Enterprise Software Initiative (ESI) and the DON's ESI Software Product Manager Team at Space and Naval Warfare Systems Center Pacific.

Online ISSN 2154-1779; Print ISSN 1047-9988
Hyperlink Disclaimer