Now that we have a production information system that has been fully authorized to operate by an executive leader with the appropriate authority to accept risk on the behalf of the organization, we now need to begin the process of operations and maintenance.

The operations and management phase for an information system is referred to as continuous monitoring. The purpose behind continuous monitoring is to ensure that the security controls that where designed and tested as part of the information system's development continue to be effective over the life of the system.

In the past, an information security professional would ensure that an information system was adequately protected as it was going into production. After that, the system was treated as secure until the authorizing official or compliance requirements dictated it was time to review the security documentation again. The reality is that an information system does not stay secure for very long if you are not paying careful attention.

Some factors that erode an information system's security are as follows:

• The need to patch: New vulnerabilities are discovered all the time
• Changes to the system: A new change, whether it is a new server service, web application, or office automation tool could bring a new weakness and therefore risk to the organization
• Changes in technology: A best practice today may not be a best practice tomorrow
• Path of least resistance: To meet customer expectations, system operators may take shortcuts in information security

You will want to establish a program that ensures you have good visibility into your organization's information systems from a security perspective, in order to ensure the continued security of those information systems.

Some mechanisms to continuously monitor information systems are as follows:

• Configuration management:
  • Tools: These types of tools allow the operations team to effectively monitor changes to information system settings:
    1. A configuration management tool is a necessity in a modern enterprise to manage the many settings in a modern information system
    2. These tools should also allow for the appropriate security control baseline to be applied and reapplied if it is removed without authorization
  • Process: A robust change management system should be in place allowing stakeholders to discuss changes to the information system and determine potential risk to the information system and the organization
• Vulnerability management tools: These tools can be used to identify changes in configuration from the security baselines, as well as new vulnerabilities that may occur over time due to newly discovered flaws in technology.
• Patch management tools: These tools work to ensure that new patches required by the information system are available and automatically installed on the system. Key points to remember are as follows:
  • Not all patches will install properly. Sometimes manual intervention is required.
  • Not all information systems are supported by patch management systems. Sometimes you will need to monitor the software distribution news for your vendor. If they post a security patch you should manually download and install the patch.
• Asset management tools: These tools serve to ensure that new devices added to the network or information system are cataloged as part of a detailed asset inventory.
• Periodic audits: For those items that cannot be easily tested via automation you will need to develop procedures to ensure that those controls are tested periodically.