Cybersecurity Wednesdays: Information Security Continuous Monitoring (ISCM) Enabling Technologies: Can You Name Them?
GovDefenders Wednesdays is written by Van Ristau, DLT Solutions’ Chief Technology Officer. Throughout the month, he’ll explore the world of public sector cybersecurity; introducing concepts, offering opinions, providing resources, and identifying ways to protect your agency. You may also follow Van on Twitter at @VanRistau.
During this series I intend to periodically look at specific continuous monitoring technologies and discuss the rationale for their inclusion in the Information Security Continuous Monitoring (ISCM) toolbox. One of the misconceptions held by many outside the band of information security practitioners is that information security, or cybersecurity, is basically about antivirus protection, malware avoidance, identity protection, and secure access to applications through strong passwords. Au contraire, mon ami.
To understand why information security is much more, let’s look at one of the ISCM enabling technologies, License Management, identified in Appendix D of NIST Special Publication 800-137 (SP 800-137) Information Security Continuous Monitoring for Federal Information Systems and Organizations.
The intent of license management, in an information security context, is first to ensure that software applications are inventoried similarly to hardware, since you cannot monitor that which you do not know you have. And secondly, to ensure that only those applications that are approved are on the network (don’t want any roguish applications that might be doing nefarious things). Lastly, to ensure that approved applications are up to date, especially with the relevant security patches, which normally implies that the application is in compliance with the licensing agreement.
Now, the fine folks at NIST have invested significant resources of time and expert thought to develop the Risk Management Framework (RMF) and define what security and privacy controls are appropriate for systems requiring different levels of security. SP 800-53 Rev. 4 February 2012 Security and Privacy Controls for Federal Information Systems and Organizations is the authoritative source for current requirements regarding security controls for low, moderate, and high security system protection. You’ll note that controls CM-8 Information Systems Component Inventory; CM-10 Software Usage Restrictions; and SI-7 Software, Firmware, and Information Security specifically require license management to be a security control element. And you can identify the level of license management functionality that you require based on the security classification of the system (i.e. low, moderate, high) and whether or not that system is contained by a higher level enterprise IT system.
So, if you have a robust IT Asset Management (ITAM) program that includes Software Asset Management (SAM), you will probably be in good shape with regard to the License Management requirement. If not, DLT Solutions is able to offer three solutions that can address this issue: Symantec’s Altiris Asset Management Suite, BDNA’s Technopedia, and Flexera Software’s license compliance management solution FlexNet.
Software License Management & Compliance. Altiris Asset Mangement Suite 7.1 from ITS Partners on Vimeo.
Additional Cybersecurity Wednesdays articles:
Beware of the Advanced Persistent Threat (APT)
Continuous Monitoring is not like a Mobius Strip: How to get in the Loop