Continuous Monitoring is used to detected risk and compliance by use of technology for financial and operational environments. Continuous monitoring is one of the six steps outlined in the Risk Management Framework. People and Systems work together in these types of environments to help prevent risks and compliance so that everything runs smoothly. Controls are put in place to address risks within these environments. Continuous monitoring has plenty of flaws and mistakes, but once corrected within the organization, it helps the company’s risk profile.
Continuous monitoring monitors plenty of things, but what is primary and what is not? Well, the main things to keep an eye on when monitoring your organization are security controls. This is mainly hardware, software, and firmware. If your hardware and software are not monitored at all times, you can risk hacking and malware problems onto your server, which is an expensive thing to fix and/or replace. Other things that should be monitored, but on a smaller scale, are things in the operational environment. The objects in the operational environment that should be monitored are the environment itself, the mission, and the policy/regulations. These should be monitored at all times, but they aren’t nearly as expensive to fix if something wrong happens to them, so they aren’t the main priority.
The Federal Information Systems Management Act (FISMA) is a government act that is used to help protect from risk and compliance and helps manage risk management and information systems. The Federal Information Systems Management Act is the center piece of Continuous Monitoring. It brings Information System Management, Risk Management, and Financial Management together by the use of certain tools like Risk Based Funding (To bring Risk Management and Financial Management together), IT Alignment/Planning (To bring Financial Management and Information System Management together), and IS Architecture (To bring Information System Management and Risk Management together).
Continuous Monitoring involves multiple key stages in the process of creating monitoring. The first stage that needs to be completed is the Identification of the control rule for each control point (Meaning “What is the rule for each possible risk?”). Secondly, we need to establish a test that validates each control rule (in the case we have a plan; we need to test it out first in an event of a risk). The third key stage is to establish tests to identify problematic transactions. After we create all of these tests, we need to test the transactions regularly. After testing the transactions on a regular basis, we need to identify the transactions that fail the tests, and then notify the appropriate individuals within the organization of failures. The last stage that is very “key” to successful monitoring is to investigate failed transactions and act to correct the transactions or control the problem.
Continuous Monitoring is a must in any large corporation. Planning and implementing security configurations and then managing and controlling change is not a guarantee that information systems will remain configured as expected. Daily operations can change the operating environment. The goal for organizations is to identify when the information system does not comply with security policy and legal criteria and take remediation actions as seen necessary.