Have you ever brought your car in for service, only to have the problem mysteriously vanish just as the mechanic starts the diagnostic test? Many people have experienced this, and many compliance pros understand this situation all too well. The techniques available to them to observe the internal control environment and their compliance posture relative to those controls are largely observations only relevant at very specific points in time.
For example, the typical audit usually reflects only a specific period of time. If the environment changes afterwards, there is a good chance no one is the wiser. The same is true of technical assessments, self-assessment questionnaires, risk assessments and numerous other observation techniques compliance professionals rely on. This can lead to gaps in understanding that, in the wrong set of circumstances, have negative information security and compliance ramifications.
These factors have fueled a migration to continuous monitoring of transactions and internal controls. Continuous auditing and continuous controls monitoring approaches have, for those businesses that can afford them, seen quite a bit of traction in recent years. But for smaller, leaner or more budget-strapped compliance teams and organizations, these strategies often remain a pipe dream. They might see the value in and understand the importance of continuous controls, but can't realistically consider them due to budgets restraints.
These dynamics could be changing, however. While not specifically tailored to compliance use, developments in information security continuous monitoring have potential benefits for compliance teams. These developments are a byproduct of continuous monitoring tools deployed for information security purposes.
What is continuous monitoring and how can compliance benefit?
It's important to note a few things about terminology. There are differences between how different communities define continuous monitoring and how the term is used relative to information security.
While not specifically tailored to compliance use, developments in information security continuous monitoring have potential benefits for compliance teams.
In ISACA's Monitoring Internal Control Systems and IT, continuous monitoring is defined as "… an IT process or a series of IT processes that operate as an integrated part of a business process for the purpose of detecting control failures on or near a real-time basis."
This is the definition that we're probably most interested in from a compliance point of view. To remain compliant, it's important to know which required controls are not performing, which are underperforming, and which might have operational issues that limit utility.
By contrast, the National Institute of Standards and Technology's (NIST) SP800-137 -- Information Security Continuous Monitoring for Federal Information Systems and Organizations -- and the NIST Risk Management Framework define information security continuous monitoring as, "… maintaining ongoing awareness of information security, vulnerabilities and threats to support organizational risk management decisions." Note the slight difference in focus: the detection of control failures versus awareness of vulnerabilities and threats.
Astute practitioners will point out that these two things are inexorably linked, but it's important to be aware of this difference. Not all information about threats or vulnerabilities is germane to understanding compliance control failures (and vice versa). If we intend to leverage work done during information security continuous monitoring, we need to be cognizant that only a subset of that information will tie directly back to our compliance controls. The key, of course, is to identify synergies, and this data derived from continuous monitoring efforts can directly inform compliance programs.
Integrating continuous monitoring efforts
The key to using data derived from information security continuous monitoring to ensure internal compliance controls is twofold. You need to determine which data ties back to the controls and ensure a communication pathway to that data. To do this, you'll first need to understand your own compliance control environment well enough to know what you want information about. You'll also need to have a partnership with the teams actually setting up the continuous monitoring program.
The NIST document described several key phases as part of the implementation of information security continuous monitoring:
- Analyze and Report
- Review and update
It is during the first, second, third and fourth phases where compliance teams will want to make sure their interests are represented. Ideally, the security team will solicit the compliance team's input anyway, but we live in an imperfect world, so it's up to the compliance team to ensure it happens. The goal during these first phases is to ensure the compliance controls the team wants to verify are included in the scope of the continuous monitoring data collection efforts.
More on information security and compliance
Mobile encryption improves security, reduces compliance risk
In light of new threats, information security a priority in 2014
Examine data such as log information, account usage information and system configuration information that is scheduled to be monitored and whether it provides benefits to compliance controls. If not, investigate whether additional data can be collected. During the reporting phases, you'll want to make sure the data you're obtaining is sufficient to ensure compliance.
This will obviously need to be a collaborative exercise unique to your organization. But by understanding continuous monitoring efforts, compliance teams can help support regulatory efforts by enabling sources of information that would otherwise not be available.
About the author:
Ed Moyle is director of emerging business and technology at ISACA. He previously worked as a senior security strategist at Savvis and a senior manager at CTG. Before that, he served as a vice president and information security officer at Merrill Lynch Investment Managers.
This was first published in December 2013