by eSecurity Planet Staff
As part of the continuous monitoring documents, NIST SP 800-137 states that the following are “essential to organization-wide continuous monitoring”:
- Ongoing assessment of security controls – Read this as, “Test the stuff you already bought and figure out if it is working.”
- Configuration management, change control and a corresponding security impact analyses – In other words, “If you make a change, like standing up a new app, what is the overall effect? Are you more secure or less secure now?”
- Security status reporting - When doing this, you need to consider the metrics and reports you are using. Do they reflect the real risks your organization is facing?
Source: eSecurity Planet