Professional Documents
Culture Documents
Quincey Jackson
The BioHuman information system for payroll has seen many changes over the past
month. Routine assessments have taken place to analyze the effectiveness of BioHuman’s
implemented controls. A figure of the tedious assessment process has been added for reference.
The inevitable changes in the system’s physical operating environment, as well as the
technological and administrative changes within the information system, has exposed
vulnerabilities in the implemented Access control safeguards. To prevent our information system
from being compromised, continuous monitoring of the implemented security controls must take
place regularly. New malware, new laws, procedures, policies, and evolving internet applications
are constantly challenging cyber security professionals to counter the changes with routine
patches and updates to their information systems. BioHuman is no different and will establish a
secure and reliable Risk Management Framework to withstand the high volume of threats that
the system is constantly exposed to; while also ensuring that the implemented controls are
always being monitored for effectiveness in regards to latest threats and risks present.
Change Management
an organization are inevitable. Thats why change management is necessary. According to studies,
there are four core principles of change management; Understanding Change, Planning Change,
questions must be asked: Why does change need to occur? What are the key objectives for
change? How will the changes benefit the organization, and what needs to be done to properly
manage the change? These questions can help an organization adjust to changes. The next
principle is to plan change. Changes should be good for the organization. Authorizing officials
must consider sponsorship of the change, involvement, support with the change and the impact
that the change will have on the organization. The third core principle of change management is
to find strategic ways to implement change and put it in practice. Lastly, communication of
change is important. Individuals need to be made aware of changes so that they can adjust their
tasks accordingly.
These core principles help organizations understand and adjust to the inevitable changes
that will come during the duration of an information system’s life cycle. As routine monitoring to
implemented controls occur, it’s important to remember the core principles of change
management to be prepared for the inevitable changes that will come to the controls that are
RMF Tasks
According to The NIST SP 800-37, 2018, Task P-7 of the Prepare step in the RMF is a
secure. A table, summarizing the expected outcomes of RMF tasks has been added for reference.
Figure 2: Prepare Tasks and Outcomes- Organizational Level (NIST SP 800-37, 2018)
The table shows task P-7 as a task used for continuous monitoring of an organization’s controls.
assess and monitor implemented controls. Task P-7 also points out that the ongoing monitoring
of controls using automated tools and supporting databases facilitates near real-time risk
management for information systems and supports ongoing authorization and efficient use of
resources. This means that routinely monitoring the implemented controls is an effective way of
Continuous Monitoring
According to studies, the main objective of continuous monitoring in an effective Risk
information system are still being effective over time, considering all of the evolving threats
(University of San Diego, 2022). Continuous monitoring also maintains the security
authorization to operate the system even with vulnerabilities and threats present (University of
San Diego, 2022). When the routine monitoring discovers controls that have been compromised
or need to be updated, authorizing officials must report these findings in POA&Ms, System
Security Plans and other Assessment Reports included in an authorization package. BioHuman
will use a System Security Plan along with the already established POA&M to add updates and
patches to the physical, technical and administrative vulnerabilities as they are discovered during
the continuous monitoring process. System security plans will also be used. These documents
have detailed descriptions and suggestions for the continuous monitoring of the vulnerable
controls found. These suggestions and recommendations are based on industry standards and
Making Adjustments
The Security Assessment Report found that BioHuman corporate employees were
experiencing issues related to Access Control. The POA&M was created to mitigate the
vulnerabilities found in the tailored Access Controls. Updates will be applied to the AC-1
policies and procedures control, while implementing a new AC-3(14) control, which focuses on
Access Enforcement- Individual Access. The first update to the AC-1(Policies and Procedures)
will ensure that the latest laws, compliance rules and industry standards are always up-to-date
with the most current and effective technologies adopted by the organization. When an
information system experiences any changes to hardware, software or firmware, new versions of
policies and procedures must be published. This is done to ensure all members of an organization
The next update will involve physical changes to the operating environment of the
information system. From the physical aspect, The AC-3(14) Access Enforcement- Individual
Access security control will affect new hires, promoted workers and workers that no longer work
for the company. When a new hire onboarding, they need keys, equipment and supplies to be
able to successfully complete their work tasks at the operating site. Another important thing to
On the technical side, new employees need access to their accounts and need roles
assigned to them in the information system. On the reverse end, workers that have been
promoted or have been released from duties will need to have their access updated or revoked.
Discussion
Without the continuous monitoring of the security controls of the BioHuman information
system, the organization would still have accounts with confused access, accounts that no longer
exist will still be created on the cloud and many policies and procedures will be outdated and at
risk of being out of compliance. Continuous monitoring eases the pressure off of authorizing
officials and creates simpler processes for securing a system once controls have been assessed.
technological changes during their information system life cycle. It’s imperative that every
implemented security control remains tailored to the unique requirements of the payroll system.
This can only be accomplished with routine assessments of implemented controls and the
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf
NIST, S. 800-137 Information Security Continuous Monitoring for Federal Information Systems
gov/publications/nistpubs/800-137/SP800-137-Final. pdf.
Ross, R., Viscuso, P., Guissanie, G., Dempsey, K., & Riddle, M. (2016). NIST Special
gov/nistpubs/SpecialPublications/NIST. SP.