Continuous Controls Monitoring: The Next Generation Of Controls Testing

Meet Pramodh Rai, a technology aficionado and Cyber Sierra’s co-founder, whose zest for innovation is fuelled by a cupboard stacked with zero-sugar Redbull. With a nimble footwork through the tech tulips across Asia Pacific, he’s donned hats at Hmlet (the proptech kind) and Funding Societies | Modalku, building high-performing teams and technologies. A Barclays prodigy with dual degrees from Nanyang Technological University, Pramodh is a treasure trove of wisdom, dad jokes, and everything product/tech. In an attempt to bridge this gap, figure 4 compares example control descriptions against related guidance from an IT security context and the related COBIT 5 goals, and proposes a formal assertion that could be used in a CCM context. In many cases, you can’t actually monitor every resource and environment continuously because doing so would require too many resources.
It’s adapted from the Continuous Monitoring Strategy Guide available from FedRAMP. As shown, you can launch and track the completion of cybersecurity training programs relevant to implementing CCM with our employee Security Awareness module. Once technology flags an issue, humans on the TPRM team can step in to better weigh how serious the issue is and determine the best steps to take to address it. Doing all this the moment a risk arises can vastly reduce the chances of a serious cyberattack, breach, or other catastrophes.

This work ideally should occur with further development of COBIT 5 for Risk and other COBIT guidance from ISACA. Internal control objectives in a business context are categorised against five assertions used in the COSO model16 —existence/occurrence/validity, completeness, rights and obligations, valuation, and presentation and disclosure. These assertions have been expanded in the SAS 106, “Audit Evidence,”17 and, for the purposes of a technology context, can be restated in generic terms, as shown in figure 3. Continuous monitoring is the ongoing detection of risks and problems within IT environments. Continuous Monitoring will alert the development and quality assurance teams if particular issues arise in the production environment after the software has been published. It gives feedback on what’s going wrong, allowing the appropriate individuals to get to work on fixing the problem as quickly as feasible.

Determine Continuous Control Implementation

While building your control testing system from scratch is an option, it’s relatively easy to take advantage of third-party compliance software that comes with CCM out of the box. SOCs constantly collect data from within the organization and correlate them with collected data from a number of external sources that deliver insight into threats and vulnerabilities. These external intelligence sources include news feeds, signature updates, incident reports, threat briefs and vulnerability alerts that aid the SOC in keeping up with evolving cyberthreats. SOC staff must constantly feed threat intelligence in to manage known and existing threats while working to identify emerging risks.
To outsmart them and secure enterprise organizations, security teams must adopt measures that proactively identify and mitigate vulnerabilities and attacks beforehand. To better clarify your organization’s security requirements and select the right product to realize them, you need a way to make sure you’re on the same page with everyone you communicate with. The Shared Assessments Continuous Monitoring Cybersecurity Taxonomy can be a good tool for this. Use it to create a standard in how you talk to third parties about your needs and requirements. And consult it to better evaluate the continuous monitoring products you consider and determine which best meets your needs. Continuous monitoring requires the right mix of security technology and human planning and analysis.

For a field like cybersecurity—one that’s both relatively new and deals with novel threats, technologies, and trends on a regular basis—language can take a while to catch up to reality. To make sure your continuous monitoring strategy addresses your main needs, take time to identify what those are. Consider all the main monitoring surfaces your organization needs to focus on, any regulations you must stay compliant within your industry, and the main vulnerabilities you want to be on guard for. The ultimate purpose of continuous monitoring is not to collect data from throughout the IT infrastructure. With millions of data points collected and centralized each day through log aggregation, information must be examined on a regular basis to see if there are any security, operational, or business issues that require human intervention.

Cyber Security

In addition, you want to identify any gaps in what the product monitors and your organization’s needs. Fortunately, continuous controls monitoring (CCM) can go a long way in helping security assurance professionals become far more productive in their control performance evaluation efforts and increase control testing coverage. Instead, implementing continuous monitoring requires teams to configure the right mix of tools and processes to meet their monitoring goals. Of the 21 control families, eight are covered by the DHS continuous monitoring software offerings.

Some advances could be orchestrated and pose the potential to leap ahead in the area of ISCM by modeling these other areas. Atatus provides a set of performance measurement tools to monitor and improve the performance of your frontend, backends, logs and infrastructure applications in real-time. Our platform can capture millions of performance data points from your applications, allowing you to https://www.globalcloudteam.com/ quickly resolve issues and ensure digital customer experiences. Continuous Monitoring aids IT companies, particularly DevOps teams, in obtaining real-time data from public and hybrid environments. This is especially helpful when it comes to implementing and strengthening security procedures like incident response, threat assessment, computer and database forensics, and root cause analysis.
You can use a variety of tools for this purpose, but you’ll want to make sure they are capable of collecting data in real time, as well as collecting all data (instead of sampling). After the data were collected and reviewed, a comparison table was created to show how many control types were used and how many were not used. A high-level estimate was made from these data of the effectiveness at total coverage of the currently offered automated solution. This step involves creating continuous security control procedures based on stardardard or customized cybersecurity policy frameworks.

Continuous Monitoring

To maintain an authorization that meets the FedRAMP requirements, cloud.gov must monitor their security controls, assess them on a regular basis, and demonstrate that the security posture of their service offering is continuously acceptable. Next, a compliance professional can define a test with pass/fail criteria and a frequency for the test, and set up automated workflows to manage alarms, communicate, investigate, and correct the control weaknesses. In the figure 2 example, the high-profile controls highlighted by the internal audit function have been assessed against data availability and existing monitoring or metrics. Controls highlighted in green are candidates for continuous control monitoring (red indicates a roadblock that may preclude a control from being considered). The priority or suitability of controls for continuous monitoring also needs to consider the relationships among controls. For example, configuration and vulnerability management rely on asset management, which may be deficient and not suitable for inclusion in the scope of assurance.

• Control objectives act as reference points, enabling you to validate the performance of your selected controls in decreasing risks and upholding regulatory compliance.
• Instead, implementing continuous monitoring requires teams to configure the right mix of tools and processes to meet their monitoring goals.
• This work ideally should occur with further development of COBIT 5 for Risk and other COBIT guidance from ISACA.
• Continuous monitoring can also be used by IT companies to track user behaviour, particularly in the minutes and hours after a new application update.
• For one thing, you need to think through how to address each issue your continuous monitoring program helps you identify.
• ISCM has the promise of being the next best thing for cybersecurity and risk management, but there are still some immaturities and challenges that exist in the methodologies and software.

These controls are guidelines, actions, or procedures implemented to mitigate risks and ensure data accuracy. Cloud.gov performs quarterly security policy and account reviews to satisty various AC, AU and CM controls. During the account review meetings, cloud.gov also reviews its continuous monitoring strategy and identifies areas for improvements.

Compliance operations platforms make it simple to set up automated workflows to manage alarms, communicate, investigate and correct the control weaknesses. Traditionally, continuous monitoring (which is also sometimes called ConMon) has referred to the detection of security- and compliance-related risks in particular. That said, continuous monitoring doesn’t need to be limited strictly to security monitoring. Other types of monitoring — such as infrastructure and application monitoring — can also be continuous if they focus on immediate, ongoing detection of problems. Unfortunately, controls testing tends to become exponentially more time-consuming as a firm scales up and its managers implement more controls to keep up with new regulations and third parties.
Examples of standard cybersecurity policy frameworks to create continuous control procedures from are NIST, ISO, SOC, etc. What implementation options are feasible after analyzing the objectives of your controls through a comprehensive risk assessment? But each phase of the CCM lifecycle above has many steps and, in some cases, substeps. This, in turn, makes their implementation something security teams need to meticulously follow, step-by-step.

Although, as noted above, the concept of continuous monitoring emerged out of the security community rather than the DevOps world, continuous monitoring is an obvious complement to continuous software delivery. Likewise, whereas traditional application and infrastructure monitoring might involve collecting and analyzing metrics at fixed intervals – such as once a minute – continuous monitoring would mean collecting and analyzing data in true real time. Certain controls, such as reauthorizing user access annually, may have to be sampled only twice a year for a particular program if that process occurs only once a year. It would be a waste of resources, computing power and storage to sample that control every minute, day or week. The spectrum for controls most likely ranges from a scale of annually, to every second year. Developing a road map for an organization, or a standard best practices timeline, would save time and energy.

You have to make sure the technology you use, the way you use it, and what you do with the information you gain all set you up for success. Many IT companies are now using big data analytics technologies like artificial intelligence and machine learning to analyse enormous volumes of log data and identify trends, patterns, and outliers that suggest aberrant network activity. Remember that while you can customize solutions to meet your individual needs, developing and maintaining them will take significant financial resources and a devoted team.