Continuous Monitoring

Quincey Jackson

CSOL, University of San Diego

CSOL-530-04-SU22 - Cyber Security Risk Management

August 15, 2022

Risks Are Always Present

The BioHuman information system for payroll has seen many changes over the past

month. Routine assessments have taken place to analyze the effectiveness of BioHuman’s

implemented controls. A figure of the tedious assessment process has been added for reference.

Figure 1: The Risk Assessment Process (NIST SP 800-30, 2012)

The inevitable changes in the system’s physical operating environment, as well as the

technological and administrative changes within the information system, has exposed

vulnerabilities in the implemented Access control safeguards. To prevent our information system

from being compromised, continuous monitoring of the implemented security controls must take

place regularly. New malware, new laws, procedures, policies, and evolving internet applications

are constantly challenging cyber security professionals to counter the changes with routine

patches and updates to their information systems. BioHuman is no different and will establish a

secure and reliable Risk Management Framework to withstand the high volume of threats that
the system is constantly exposed to; while also ensuring that the implemented controls are

always being monitored for effectiveness in regards to latest threats and risks present.

Change Management

As previously mentioned, changes to the administrative, physical and technical sides of

an organization are inevitable. Thats why change management is necessary. According to studies,

there are four core principles of change management; Understanding Change, Planning Change,

Implementing Change and Communication of Changes. To properly understand change, several

questions must be asked: Why does change need to occur? What are the key objectives for

change? How will the changes benefit the organization, and what needs to be done to properly

manage the change? These questions can help an organization adjust to changes. The next

principle is to plan change. Changes should be good for the organization. Authorizing officials

must consider sponsorship of the change, involvement, support with the change and the impact

that the change will have on the organization. The third core principle of change management is

to find strategic ways to implement change and put it in practice. Lastly, communication of

change is important. Individuals need to be made aware of changes so that they can adjust their

tasks accordingly.

These core principles help organizations understand and adjust to the inevitable changes

that will come during the duration of an information system’s life cycle. As routine monitoring to

implemented controls occur, it’s important to remember the core principles of change

management to be prepared for the inevitable changes that will come to the controls that are

securing the system.

RMF Tasks
 According to The NIST SP 800-37, 2018, Task P-7 of the Prepare step in the RMF is a

continuous monitoring strategy used by organizations to ensure implemented controls remain

secure. A table, summarizing the expected outcomes of RMF tasks has been added for reference.

Figure 2: Prepare Tasks and Outcomes- Organizational Level (NIST SP 800-37, 2018)

The table shows task P-7 as a task used for continuous monitoring of an organization’s controls.

Research indicates that an effective organizational-wide strategy is necessary to continuously

assess and monitor implemented controls. Task P-7 also points out that the ongoing monitoring

of controls using automated tools and supporting databases facilitates near real-time risk

management for information systems and supports ongoing authorization and efficient use of

resources. This means that routinely monitoring the implemented controls is an effective way of

managing risks without exhausting resources (NIST, 2018).

Continuous Monitoring
 According to studies, the main objective of continuous monitoring in an effective Risk

Management Framework is to determine if the implemented security controls protecting the

information system are still being effective over time, considering all of the evolving threats

(University of San Diego, 2022). Continuous monitoring also maintains the security

authorization to operate the system even with vulnerabilities and threats present (University of

San Diego, 2022). When the routine monitoring discovers controls that have been compromised

or need to be updated, authorizing officials must report these findings in POA&Ms, System

Security Plans and other Assessment Reports included in an authorization package. BioHuman

will use a System Security Plan along with the already established POA&M to add updates and

patches to the physical, technical and administrative vulnerabilities as they are discovered during

the continuous monitoring process. System security plans will also be used. These documents

have detailed descriptions and suggestions for the continuous monitoring of the vulnerable

controls found. These suggestions and recommendations are based on industry standards and

require an organization to routinely monitor implemented controls.

Making Adjustments

The Security Assessment Report found that BioHuman corporate employees were

experiencing issues related to Access Control. The POA&M was created to mitigate the

vulnerabilities found in the tailored Access Controls. Updates will be applied to the AC-1

policies and procedures control, while implementing a new AC-3(14) control, which focuses on

Access Enforcement- Individual Access. The first update to the AC-1(Policies and Procedures)

will ensure that the latest laws, compliance rules and industry standards are always up-to-date

with the most current and effective technologies adopted by the organization. When an

information system experiences any changes to hardware, software or firmware, new versions of
policies and procedures must be published. This is done to ensure all members of an organization

understand the expectations of the organization’s mission.

The next update will involve physical changes to the operating environment of the

information system. From the physical aspect, The AC-3(14) Access Enforcement- Individual

Access security control will affect new hires, promoted workers and workers that no longer work

for the company. When a new hire onboarding, they need keys, equipment and supplies to be

able to successfully complete their work tasks at the operating site. Another important thing to

consider is environmental security. If keys are lost

On the technical side, new employees need access to their accounts and need roles

assigned to them in the information system. On the reverse end, workers that have been

promoted or have been released from duties will need to have their access updated or revoked.

Discussion

Without the continuous monitoring of the security controls of the BioHuman information

system, the organization would still have accounts with confused access, accounts that no longer

exist will still be created on the cloud and many policies and procedures will be outdated and at

risk of being out of compliance. Continuous monitoring eases the pressure off of authorizing

officials and creates simpler processes for securing a system once controls have been assessed.

Organizations will experience countless personnel changes, environmental changes and

technological changes during their information system life cycle. It’s imperative that every

implemented security control remains tailored to the unique requirements of the payroll system.

This can only be accomplished with routine assessments of implemented controls and the

continuous monitoring of the information system.

 References

NIST (2012) NIST Special Publication 800-30 Revision 5. Retrieved From

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf

NIST (2020) NIST Special Publication 800-53 Revision 5. Retrieved From

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf

NIST, S. 800-137 Information Security Continuous Monitoring for Federal Information Systems

and Organizations. 2011. URL: http://csrc. nist.

gov/publications/nistpubs/800-137/SP800-137-Final. pdf.

Ross, R., Viscuso, P., Guissanie, G., Dempsey, K., & Riddle, M. (2016). NIST Special

Publication 800-171 Rev. 1: Protecting controlled unclassified information in nonfederal

systems and organizations. Retrieved from NIST website: https://nvlpubs. nist.

gov/nistpubs/SpecialPublications/NIST. SP.

University of San Diego. (2022). CSOL 530 - Module 7 Continuous Monitoring.