NIST SP 800-137A Assessing Information Security Continuous Monitoring (ISCM) Programs: Developing an ISCM Program Assessment

こんにちは、丸山満彦です。

NISTから情報セキュリティ継続監視プログラムの評価の開発についてのガイド(SP 800ー137A)が公表されていますね。これは、2011年に公開されている「SP 800-137 連邦情報システムおよび組織向けの情報セキュリティ継続監視（ISCM）」の補足資料で、情報セキュリティ継続監視プログラム評価の開発のためのアプローチについて説明したものですね。

● NIST - ITL

・2020.05.21 SP 800-137A Assessing Information Security Continuous Monitoring (ISCM) Programs: Developing an ISCM Program Assessment

・[PDF] SP 800-137A (DOI)

・Supplemental Material:
　Element Catalog for SP 800-137A (xls)

・Other Parts of this Publication:
　2011.09.30: SP 800-137

・Document History:
　2020.01.13: SP 800-137A (Draft)
　2020.05.21: SP 800-137A (Final)

 

Executive Summary

To effectively manage cybersecurity risks, organizations require ongoing awareness of their information security posture, vulnerabilities, and threats.¹ To achieve this awareness and better manage risks, organizations implement Information Security Continuous Monitoring (ISCM) capabilities under the direction of an ISCM program. An ISCM program defines, establishes, implements, and operates the various aspects of ISCM to provide the organization with the information necessary to make risk-based decisions regarding security status at all organizational risk management levels (organization level, mission and business process level, and system level).

Organizations need a way to determine and evaluate if an established ISCM program is effectively managing the organization’s security posture commensurate with risk. This publication describes one approach to developing an ISCM program assessment based on evaluation criteria derived from multiple sources, (including NIST Special Publications (SP) 800-137, Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations, SP 800-37, Risk Management Framework for Information Systems and Organizations: A Life Cycle Approach for Security and Privacy, SP 800-39, Managing Information Security Risk: Organization, Mission and Information System View, and Office of Management and Budget (OMB) Circulars and Memoranda). An ISCM program assessment developed under guidance in this publication evaluates the ISCM program itself (i.e., the structure and governance of the ISCM program),not the results of the ISCM program or the continuous monitoring technologies used. An effective ISCM program assessment provides consistent results regardless of the entity conducting the assessment. This publication does not prescribe the assessment of individual controls nor the examination of control assessment results as part of the ISCM program assessment.

The overarching goal of the ISCM program assessment is to provide organizations with recommendations to improve the ISCM program and thereby manage and reduce organizational risk. An ISCM program assessment provides a means for evaluating an organization’s ISCM strategies, policies, procedures, implementations, operational procedures, analytical processes, specific reporting, results presentation, risk assessment and risk scoring, risk response, and the ISCM program improvement process. An ISCM program assessment may be developed by an organization to evaluate its own ISCM program or by an independent assessment organization.

Creating or adopting and using an ISCM program assessment can help reduce overall risk to organizations by identifying gaps in an ISCM program, in the implementation of an ISCM program, or in the operational use of ISCM results. In addition, an ISCM program assessment can indicate the level of readiness for system-level ongoing authorization.

This publication:

• Offers guidance on the development of an ISCM program assessment process for all organizational risk management levels, i.e., as defined in NIST SP 800-39, Managing Information Security Risk: Organization, Mission, and Information System View;
• Describes how an ISCM program assessment relates to important security concepts and processes, such as the NIST Risk Management Framework (RMF), organization-wide risk management levels, organizational governance, metrics applicable to ISCM, and ongoing authorization;
• Describes the properties of an effective ISCM program assessment;
• Presents a set of ISCM program assessment criteria, with references to the sources from which the criteria are derived, that can be adopted by an organization and used for ISCM program assessments or as a starting point for further development of an organization’s assessment criteria; and
• Defines a way to conduct ISCM program assessments by using assessment procedures defined in the companion document containing the ISCM Program Assessment Element Catalog and designed to produce a repeatable assessment process.

 

¹ NIST SP 800-137, Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations, defines ISCM as “maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions” [SP800-137, p. B-6].

-----

目次はこんな感じ・・・

Executive Summary	エグゼクティブサマリー
1 Introduction	1 はじめに
1.1 Background	1.1 背景
1.2 Purpose	1.2 目的
1.3 Audience	1.3 対称読者
1.4 Scope	1.4 範囲
1.5 Assumptions	1.5 前提条件
1.6 Organization of this Publication	1.6 本文書の構成
2 The Fundamentals	2 基礎
2.1 ISCM Management	2.1 ISCMの管理
2.1.1 ISCM Background	2.1.1 ISCMの背景
2.1.2 ISCM Process Steps	2.1.2 ISCMプロセスステップ
2.1.3 Organization-Wide Risk Management Levels	2.1.3 組織全体のリスク管理レベル
2.1.4 NIST Risk Management Framework and ISCM	2.1.4 NIST リスクマネジメントフレームワークとISCM
2.1.5 Governance and ISCM	2.1.5 ガバナンスとISCM
2.1.6 ISCM Metrics	2.1.6 ISCMメトリクス
2.1.7 Ongoing Authorization	2.1.7 継続的な認可
2.2 Foundation of ISCM Program Assessments	2.2 ISCMプログラム評価の基礎
2.2.1 ISCM Program Assessment Criteria	2.2.1 ISCMプログラム評価基準
2.2.2 Sources of ISCM Program Assessment Elements	2.2.2 ISCMプログラム評価要素のソース
2.2.3 ISCM Program Assessment Element Attributes	2.2.3 ISCMプログラム評価要素の属性
2.2.4 ISCM Program Assessment Element Catalog	2.2.4 ISCMプログラム評価要素カタログ
2.2.5 Traceability of ISCM Program Assessment Elements (Chains)	2.2.5 ISCMプログラム評価要素（チェーン）のトレーサビリティー
2.2.6 Properties of the ISCM Program Assessment	2.2.6 ISCMプログラム評価の特性
2.2.7 Assessing the ISCM Program through the Evaluation Criteria	2.2.7 評価基準による ISCM プログラムの評価
2.2.7.1 Judgment Values	2.2.7.1 判定値
2.2.7.2 Making Judgments	2.2.7.2 判定
2.2.7.3 N/A Judgments	2.2.7.3 N/A判定
2.2.8 Assessing the ISCM Program within One Organizational Level	2.2.8 単一組織レベルでのISCMプログラムの評価
2.2.9 Assessing the ISCM Program across Multiple Risk Management Levels	2.2.9 複数のリスク管理レベルにわたるISCMプログラムの評価
2.2.10 Scoring	2.2.10 スコアリング
2.2.11 Criticality	2.2.11 重要性
2.2.12 Reporting of Assessment Results	2.2.12 評価結果の報告
2.3 Using the ISCM Program Assessment	2.3 ISCMプログラム評価の利用
2.3.1 Types of ISCM Program Assessments	2.3.1 ISCM プログラム評価の種類
2.3.2 Extent and Duration of ISCM Program Assessments	2.3.2 ISCM プログラム評価の範囲と期間
2.3.3 Expected Outcomes of ISCM Program Assessments	2.3.3 ISCM プログラムの評価で期待される成果
3 The Process	3 プロセス
3.1 Overview of the ISCM Program Assessment Process	3.1 ISCM プログラム評価プロセスの概要
3.1.1 ISCM Program Assessment Plan	3.1.1 ISCM プログラム評価計画
3.2 ISCM Program Assessment Process Steps	3.2 ISCM プログラム評価プロセスのステップ
3.2.1 Plan Step	3.2.1 計画段階
3.2.2 Conduct Step	3.2.2 実施段階
3.2.2.1 Evidence Gathering	3.2.2.1 証拠収集
3.2.2.2 Evidence Analysis	3.2.2.2 証拠分析
3.2.3 Report Step	3.2.3 報告段階
3.2.3.1 Post Assessment Response (Follow-on Actions)	3.2.3.1 評価後の対応
3.3 ISCM Program Assessment Elements	3.3 ISCM プログラムの評価要素
3.3.1 Assessment Element Information Fields	3.3.1 評価要素情報分野
3.3.2 Use of Assessment Elements	3.3.2 評価要素の利用
3.4 Limits on ISCM Program Assessment Elements	3.4 ISCM プログラム評価要素の限界
3.5 Tailoring the ISCM Program Assessment Process	3.5 ISCM プログラム評価プロセスの調整
3.6 Conclusion of the ISCM Program Assessment	3.6 ISCM プログラム評価の結論
References	参考文献
Acronyms	頭字語
Glossary	用語集
Traceability Chains	トレーサビリティチェーン