QOTD - NIST on Continuous Monitoring

NIST wrote a FAQ to answer many of the questions about Continuous Monitoring and whether it replaces the security authorization process (it does NOT).
Are there any risks associated with continuous monitoring?
Organizations should exercise caution in focusing solely on continuous monitoring at the expense of a holistic, risk‐based security life cycle approach. Without the appropriate planning for security controls (preferably early in the system development life cycle) and the correct implementation of those controls, the value of continuous monitoring is greatly diminished. This is because the near real‐time, ongoing monitoring of weak and/or ineffective security controls resulting from flawed information security requirements can result in a false sense of security.
Src: NIST FAQ
Also see NIST 800-37, Applying the Risk Management Framework to Federal Information Systems (February 2010)

No comments: