MBrown posted on June 13, 2011 16:37
To have an accurate understanding of the current risk posture of your enterprise, the right security metrics must be identified and collected. The recent release of
new FISMA metrics from the Department of Homeland Security (DHS) marked a paradigm shift in tracking and reporting on the security of federal information systems. With more than 13 key areas covered – and a new emphasis on continuous monitoring – the metrics will go a long way towards ensuring the security of federal systems.
Alan Paller, the director of research for the SANS Institute and a long-time proponent of strengthening FISMA requirements, called the metrics a “huge improvement” that will result in “radically better security” and potentially save agencies millions of dollars. The Obama Administration has identified continuous monitoring as the key to future cyber-security efforts, and for the first time that future seems within reach.
The new metrics require agencies to report on whether – and how often – they are monitoring data feeds including:
- System and application logs
- Patch status
- Vulnerability scans
- Failed logins from privileged accounts
- Dormant accounts
- Passwords that have reached their maximum password age
For federal agencies that will now need to report on these metrics, the release will require some introspection. They’ll need to ask:
1. Do we have current automated monitoring to collect these metrics?
2. What tools do we already have and are they configured properly to meet the greatest percentage of the reporting metrics?
3. What technology can we acquire to ensure we’re being as efficient as possible in the areas that we can’t automate?
Regardless of the answers to these questions, agencies should recognize that while automation is the key to continuous monitoring, no security tool can take the place of a proactive security approach – one that not only looks at where your vulnerabilities are, but that anticipates where they’re going to be.