Slide 1

1 Continuous Monitoring Proprietary Information of SecureInfo Corporation 2011 All Rights Reserved

Slide 2

2 Agenda Current State of Continuous Monitoring Continuous Monitoring Defined FedRAMP Status Continuous Monitoring Solutions Top 10 Lessons Learned

Slide 3

3 1.Annual systems inventory 2.Annual testing 3.C&A every three years 4.Weaknesses Quarterly 5.Train once a year (awareness) 3 FISMA Continuous Monitoring Today

Slide 4

4 7. Incident Reporting 6. Configuration Management 5. Daily weakness updates 4. C&A technical controls x 72 3. Daily not Annual testing 2. Inventory improvements 1. Daily awareness training 4 Continuous Monitoring Tomorrow

Slide 5

5 Strong Demand for Ideas Continuous Monitoring / RMF Webinar SecureInfo sponsored and moderated 400+ attendees from public/private sector Closed all available seats in less than a month

Slide 6

6 Continuous Monitoring Defined Source: NIST 800-137 IPD

Slide 7

7 Continuous Monitoring Domains All controls are NOT required Define your own frequencies of monitoring controls. 800-137 provides guidance on controls by domains

Slide 8

8 Continuous Monitoring Simplified Rules Engine correlates data to standards NIST 800-53 Or your own Assessment Data Compliance Data Asset Data If 5 out of 10 requirements are compliant, your score is 50% Drill down into Scorecards & Reports My Tasks

Slide 9

9 FedRAMP Federal Agencies Outsourced Systems FedRAMP Risk Management -Authorization -Continuous Monitoring -Federal Security Requirements A government-wide initiative to provide joint authorizations and continuous security monitoring services Unified government-wide risk management Agencies would leverage FedRAMP authorizations Source: FedRAMP Exec Briefing

Slide 10

10 Recommendations to FedRAMP (116 controls) Recommended Controls to be represented via Continuous Monitoring for Low impact cloud systems are: 1. CM-6 Configuration Settings 2. CM-8 Information System Component Inventory 3. RA-5 Vulnerability Scanning 4. SI-2 Flaw Remediation 5. SI-3 Malicious Code Protection (297 controls) Recommended Controls to be represented via Continuous Monitoring for Moderate impact cloud systems are: 1. AU-2 Auditable Events 2. CM-6 Configuration Settings 3. CM-8 Information System Component Inventory 4. IR-5 Incident Monitoring 5. IR-6 Incident Reporting 6. RA-5 Vulnerability Scanning 7. SI-2 Flaw Remediation 8. SI-3 Malicious Code Protection 9. SC-7 Boundary Protection

Slide 11

11 CAESARS Continuous Asset Evaluation, Situational Awareness, and Risk Scoring Reference Architecture Report

Slide 12

12 iPOST Remedy CiscoWorks HP OpenView Tavve PreView Microsoft SMS Niksun NetOmni Tenable Security Center NetIQ AppManager & SecurityManager

Slide 13

13 In Commerical Sector: Microsoft Source: Global Foundation Services Information Security Management in the Cloud

Slide 14

14

Slide 15

15 Top 10 Lessons Learned 1.Identify a pilot group/department to use that represents a good cross section of your organization 2.Validate systems of record for your data sources 3.Verify data accuracy and cleanliness for analysis and reporting purposes 4.Develop questionnaires that are consumable in less than 15 minutes 5.Identify common keys for your data source linkages

Slide 16

16 Top 10 Lessons Learned Continued 6.Use Web Services and common data formats as much as possible (reduce batch jobs) 7.Define your key performance indicators & report metrics that are trackable automatically 8.Baseline pilot and enterprise deployments & tracking variances in parallel 9.Request review from peers at other organizations & form an internal steering committee of key stakeholders 10.Have a backup plan to generate the data manually should an issue arise with your automated system.

Slide 17

17 Questions ?

Slide 18

18 Contact Information Yong-Gon Chon SVP & Chief Technology Officer SecureInfo Corporation 703-245-9753 work 703-981-2624 mobile 703-245-8442 fax www.secureinfo.com