Description:   

Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and analyze security controls and information security-related risks at a frequency sufficient to support risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organizations. Providing access to security information on a continuing basis through reports or dashboards gives organizational officials the capability to make effective and timely risk management decisions.  Automation supports more frequent updates to hardware, software, firmware inventories, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Monitoring requirements, including the need for specific monitoring, may also be referenced in other requirements.  [SP 800-37] provides guidance on continuous monitoring. 


Priority: Low


Category: Internal Audit 


Services Associated with AWS: 

  • AWS CloudWatch, AWS Config, AWS CloudTrail, AWS Security Hub
  • AWS Systems Manager, AWS Config, AWS CloudTrail, AWS Security Hub


Objective Evidence:  

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate how a Risk Management Program (RMP) is implemented
  • Administrative: supporting documentation to demonstrate control assessments are performed
  • Administrative: supporting documentation of a prioritized risk register 
  • Administrative: supporting documentation of role-based security training being performed
  • Administrative: supporting documentation of professional competence by individual(s) performing control assessment roles


Possible Technology Considerations : 

NA


What needs to be answered :  


System security plans describe how the company meets the security requirements but do not provide detailed, technical descriptions of the specific design or implementation. System security plans contain sufficient information to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to company operations and assets, employees, and other organizations, if the plan is implemented as intended. Is the security plan distributed to the relevant company employees and are those employees communicated with or given a revised copy when things are changed? Is the plan periodically reviewed (annually) and modified if needed?  

  • Development and Documentation of System Security Plans
    Description: This check ensures that system security plans are developed, documented, and updated periodically. These plans should describe system boundaries, system environments of operation, the implementation of security requirements, and connections with other systems.
  • Detailed Compliance of System Security Plans
    Description: This check verifies that the system security plans provide sufficient information to enable a design and implementation that is unambiguously compliant with the intent of the plans, ensuring subsequent determinations of risk if the plan is implemented as intended.
  • Effective Use of References in System Security Plans
    Description: This check validates that the system security plans make extensive use of references to policies, procedures, and additional documents for more detailed information, reducing the documentation requirements associated with security programs.
  • Consideration of System Security Plans for Risk Management
    Description: This check confirms that system security plans and plans of action are considered as critical inputs for overall risk management decisions, including the decision to process, store, or transmit CUI on a system hosted by a non-federal organization.
     


More Details:   

System security plan in place that is reviewed and updated on a regular basis.