TalaTek began delivering FISMA continuous monitoring risk management services to its clients in 2008. At that time, this was something very few paid much attention to, and for the most part compliance efforts ended by signing the certification document. Customers were not interested in Continuous Monitoring services beyond that and instead waited for the annual or tri-annual anniversary to start the process all over again.
That is why, when attending FOSE (Federal Office Systems Expo, July 19-21, 2011), I was impressed by the shift in the industry’s focus and two things became apparent to me: the recognition of the importance of continuous monitoring, and the emerging recognition that, as significant and important as they are, monitoring the technical controls alone isn’t enough. By expanding beyond the technical controls, this new and helpful change recognizes the need to monitor the entire spectrum of controls and shifts the compliance effort from a checklist/documentation exercise to a risk management process.
In the session, “Continuous Monitoring and Risk Scoring: Progress and Challenges,” co-presented by Mark Crouter, Practice Manager, MITRE Corp. and Steve Elky, Deputy Director, Information Technology Services, Library of Congress, the SANS Top 20 Critical Security Controls were discussed, along with the State Department’s successes in reducing vulnerabilities through an aggressive program of technical monitoring and risk scoring.
Crouter and Elky cited Federal CIO Vivek Kundra’s emphasis on continuous monitoring: “the backbone of true security … Agencies need to be able to continuously monitor security-related information from across the enterprise in a manageable and actionable way.” While acknowledging the advances in the automation of continuous monitoring, they noted that the need for human expertise still remains. And they discussed how these tools lead to an emphasis on technical controls because these controls can more easily be automated.
In his remarks at the conference keynote lunch, Dr. Ron Ross, NIST, picked up the theme in his discussion of the modernization of the NIST 800-53 catalog of controls. He showed how WikiLeaks highlighted the importance of non-technical controls (such as physical and personnel controls) that are not so easily adapted to automation.
The conference validated TalaTek’s approach – providing organizations with compliance solutions that combine continuous monitoring of technical controls with management and operational control monitoring to present a more complete picture of risk. TalaTek customers count on us for unparalleled IT Security & Risk Management services to meet their audit and security requirements based on their business needs.
