NIST Guide for Monitoring Information Systems Security

Monday, October 17, 2011



A new computer security publication* from the National Institute of Standards and Technology (NIST) will help organizations understand their security posture against threats and vulnerabilities and determine how effectively their security controls are working.

Information Security Continuous Monitoring (ISCM) for Information Systems and Organizations (NIST Special Publication [SP] 800-137) aims to provide guidance for information security monitoring in all types of information systems – a term that encompasses not only computer networks but also a host of other interconnected devices and software.

According to Kelley Dempsey, a researcher in NIST’s Computer Security Division and one of the authors, the publication is geared toward helping an organization ensure that its security measures are performing as desired over time.

“This is a guide for an organization that has already implemented the first five steps of the NIST Risk Management Framework (RMF) and is ready to move on to the last step, which is developing a systematic way of making sure the previous steps are implemented effectively,” says Dempsey.

“Our publication can help an organization monitor the security posture of the organization and its systems on an ongoing basis.”

Dempsey says SP 800-137 is tightly coupled to two other NIST publications, SP 800-37 and SP 800-39, which describe all the steps in the risk management process. Those previous publications describe risk management and the RMF so that developers are able to determine a system’s boundaries, security category and required controls.

Once these steps are complete, SP 800-137 can guide an organization’s efforts to monitor its system’s effectiveness in a customized fashion – something the authors describe as a move from “compliance-driven” to “data-driven” risk management. 

“In the end, you don’t want to just get some generic to-do checklist and follow its orders – you want to get data from the systems within your organization and respond to it in a way appropriate for your own specific needs,” Dempsey says.

“We hope this guide will enable users to do that.” 

Dempsey adds that a major feature of SP 800-137 is a list of criteria to help users determine how frequently to monitor each of the controls in an information system. The list, she says, will help users perceive how often each control is to be checked – a frequency that may be different for each control.


Possibly Related Articles:
NIST Risk Management Headlines Network Security Controls Guidelines network monitoring ISCM
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.