In part one, we talked about what a Continuous Monitoring and Ongoing Maintenance Program should entail. Another huge part of the plan is to create a schedule to do the manual tasks required and to put human eyeballs on some of the tasks that may be automated. We’ll talk about that here as well as some problems you may run into and what kind of evidence you should have to show your assessor.
Monitoring & Maintenance Schedules
To effectively manage all aspects of your monitoring and maintenance program ensure that tasks are scheduled in a way that aligns with your organization’s needs.
Examples of Weekly Activities:
- Ensuring endpoint log transmission.
- Reviewing vulnerability scan results.
- Monitoring external and internal system communications through log reviews.
Examples of Monthly Activities:
- Performing vulnerability scans on systems and applications.
- Ensuring system flaws are reported within their specified time frame.
- Reviewing firewall rules.
Examples of Quarterly Activities:
- Verifying active user accounts on the account management list and ensuring no unapproved users exist.
- Checking the content on your website.
- Validating FIPS encryption is enabled.
Examples of Biannual Activities:
- Reviewing and updating alert and logging settings.
- Maintaining audit logs of physical access and managing physical access devices according to policy.
Examples of Annual Activities:
- Performing a self-assessment.
- Conducting a risk assessment.
- Reviewing and updating policies and procedures.
Common Mistakes in Implementing Continuous Monitoring and Ongoing Maintenance
- Lack of Resources: Ensure adequate staffing and budgeting for continuous monitoring.
- Inconsistent Practices: Standardize maintenance practices to maintain consistency
- Poor Documentation: Document all maintenance activities thoroughly for auditing purposes.
- Failure to Act on Findings: Act promptly on findings from monitoring to mitigate risks.
- Overreliance on Automation: Combine automated tools with manual reviews to ensure thorough monitoring. Automation is great, but human oversight is needed for interpreting complex data and making decisions.
Evidence for Demonstrating Continuous Monitoring and Ongoing Maintenance Efforts
To demonstrate compliance through documentation, keep comprehensive, meticulous records. Generating reports summarizing your monitoring and maintenance activities, storing screenshots of completed tasks, and maintaining evidence in a centralized repository will provide evidence of adherence to compliance standards when needed. Remember to keep a record of all training sessions, including details of attendees and topics discussed. Make sure to document the outcomes of audits and the steps taken to address any issues in a Plan of Action and Milestones (POA&M).
Some documentation needed for evidence include:
- Policies and Procedures
- Comprehensive logs of security events, access controls, and system changes.
- Thorough Incident Reports for all security incidents describing the actions taken.
- Training Records of all security training sessions and participants.
- Documentation of configuration settings and changes.
- Vulnerability Scans
- Other Compliance Reports generated by monitoring tools.
- Last self-assessment
One method assessors may use to determine if an organization is genuinely engaging in monitoring is evaluating their proficiency with their monitoring tools, having responsible parties perform actions such as running reports or retrieving audit records. Organizations should be able to demonstrate how their monitoring tools would detect any violation of the security controls. Regularly checking for issues and documenting zero results over time can serve as evidence of effective monitoring. You just have to prove that you are checking.
Maintaining compliance is not easy, but with a well-structured program, it’s entirely achievable. Remember, a proactive approach to compliance not only secures your organization, but also strengthens your reputation in the defense industry. By implementing these best practices, you can create a robust ongoing monitoring and maintenance program that helps ensure continuous compliance over time. This will help bolster your security posture and foster trust, with both your partners and clients.