July 19, 2018

How to Make Continuous Monitoring Part of Your Compliance and Security Strategy

A Call for Continuous Monitoring, Regardless of Business Size

Continuous monitoring isn’t a new concept; it’s been a component of well-developed industry IT organizations for many years. Historically, continuous monitoring was found within ITIL programs, but in recent years, it’s become critical to security, particularly to ensure successful compliance and efficient audits. Whether conducted on a monthly or quarterly basis depending on subject matter, it’s easiest to present reports to an auditor and complete the auditing process with the support of continuous monitoring. Rather than a mad scramble to produce audit-related information, the IT team can have confidence knowing that the information already exists and they’re going to pass the audit. In essence, continuous monitoring has shifted from a Fortune 500/Fortune 100 type of large IT shop environment and into the very intricate details of security in smaller businesses over the past few years.

What is Continuous Monitoring, Anyway, and Why Does it Matter?

You can define continuous monitoring, also known as continuous controls monitoring, CCM, or ConMon, as such: “Continuous monitoring enables management to continually review business processes for adherence to and deviations from their intended levels of performance and effectiveness.”

Continuous monitoring is initially defined by the set of security controls you’re going to operate against. DataBank, for example, has selected the NIST framework to work against, which means we engage a third party who has identified our high level objectives for security controls. Based upon those objectives, we’ve decided which technology assets and processes we need more insight into and established a continuous monitoring procedure as a result. This brings significant value to customers, and by providing these reports, such as access control, for instance, on a monthly basis customers receive a list of all the people who have access to their systems and facilities at DataBank. If desired, customers can easily monitor their systems themselves using automation. Continuous monitoring secures our business more effectively and makes it more efficient in the process.

Managing New Compliance Requirements, Recovering from Failed Audits and Reining in Business Expansion

The primary events that give rise to continuous monitoring are:

  • A new set of compliance requirements
  • A failed audit
  • Expansion into a new market precipitates unfamiliar compliance needs

Typically, events leading up to the inception of continuous monitoring include a new set of compliance requirements due to a new law, unfamiliar compliance territory as a result of business expansion, or a failed audit. Most recently, the European Union enacted the GDPR, and consequently, there’s been a rush across industries to ensure compliance. FedRAMP is also a relatively new, government-wide program that offers a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. Cloud service providers who intend to serve federal agencies must obtain an ATO in order to gain FedRAMP authorization.

Failed audits are also a common scenario that can sometimes result in new personnel. Typically, a new IT leader responsible for compliance will seek support from a proven partner who can offer compliance attestations that fit their business needs.

Finally, expanding business into a new market can bring about unfamiliar compliance requirements. For instance, if a company starts selling products online via a shopping cart function, they’ll need to comply with PCI standards. Business growth and transition modes are highly influential components of compliance requirements that can ultimately create the need for a continuous monitoring strategy.

What Does Your Business Have to Gain from ConMon?

Good question—and the answer is more than you may expect. It may sound more like overhead initially, but continuous monitoring is an opportunity to generate value. The benefits of identifying IT assets and processes that require attention is the ability to move the mitigation and remediation procedure into your standard systems development lifecycle. This eliminates the need to be reactive and fix a problem or vulnerability quickly before a breach occurs or an audit comes to pass. Auditors will see that you’ve established a lifecycle that you’re managing, along with any potential vulnerabilities, using a mitigation/remediation type of process, and doing so demonstrates a mature environment.

Benefits of continuous monitoring:

  • Proactive mitigation and risk reduction
    Results can be acted on rapidly, before hackers can make an impact thus preventing a breach. Before auditors discover processes failures, preventing external negative visibility.
  • Enhance revenue
    • Establish metrics for your environment that are repeatable and measurable
    • Cut costs through identification and stopping broken processes, as well as fraud/error detection and prevention
    • Identify points of failure, such as IT equipment, before they fail
    • Automate manual tasks like reconciliations, IA testing procedures, etc.
    • Better monitoring results and fewer surprises
    • Creates an environment that deters attempts by rogue employees
  • Creates a virtuous cycle
    • ConMon creates a cultural expectation for integrity through the cyclical running of checks

Relying on a Partner for Support with Continuous Monitoring

If you’re just getting started on integrating continuous monitoring into your business, particularly for compliance and security purposes, it’s not a journey to embark upon alone if you don’t have the internal resources to do so. Here’s where you’ll want on a reliable, proven partner for support.

Many companies in search of a ConMon partner are enterprises and small to medium businesses who are working toward being able to afford the security processes, people and technologies that a reliable partner will already have in place. If you’re in need of a tool like ConMon, but hiring a team of security engineers is out of reach due to budget limitations, a partner can comparably fill the gap.

At DataBank, for example, we employ seven highly experienced, proven security engineers on staff, directed by a CISO, who manage and monitor customer environments. We use the most effective security tools spread out across customers, which generates the benefits of economies of scale. For instance, a smaller company with 10 servers can leverage the buying power of DataBank against larger tools when we’re investing in 1,500 or 3,000 servers.

If you’re in search of guidance or support for continuous monitoring, DataBank can help guide you in the proper direction. Reach out to us today, or call us at 1.800.840.7533 and speak to a ConMon specialist.