The purpose of Monitoring is to collect, record, and distribute information about the operational resilience management system to the organization on a timely basis.
Monitoring is an enterprise-wide activity that the organization uses to “take the pulse” of its day-to-day operations and, in particular, its operational resilience management processes. Monitoring provides the information that the organization needs to determine whether it is being subjected to threats and vulnerabilities that require action to prevent organizational impact. Monitoring also provides valuable information about operating conditions that could indicate a need for active organizational involvement.
Many operational resilience management processes implicitly require monitoring capacities in order to achieve higher-maturity goals. For example, monitoring provides data about changes in the user environment that can result in necessary changes in access privileges. Effective monitoring also informs the organization when new vulnerabilities emerge (either inside or outside of the organization) or when events or incidents require the organization’s attention. This information may require the organization to change its strategy, improve control selection, implementation, and management, or improve the details of its service continuity plans. In addition, the organization’s compliance process–which is by nature data-intensive–benefits from monitoring activities by receiving up-to-date information that can be important to compliance activities. In essence, monitoring is a core capability that the organization must master in order to improve and sustain a level of adequate resilience.
Monitoring is also a data collection activity that allows the organization to measure process effectiveness across resilience capabilities. For example, through monitoring, the organization can determine whether its resilience goals are being met. It can also ascertain whether its security activities are effective and producing the intended results. Monitoring is one way that the organization collects necessary data (and invokes a vital feedback loop) to know how well it is performing in managing the operational resilience management system.
The Monitoring process area focuses on the activities the organization performs to collect, record, and distribute relevant data to the organization for the purposes of managing resilience and providing data for measuring process effectiveness. To do this, the organization must establish the stakeholders of the monitoring process (i.e., those that have a need for timely information about resilience activities) and determine their requirements and needs. The organization must also determine its monitoring requirements for managing both operational resilience and the operational resilience management system and ensure that resources have been assigned to meet these requirements. Data collection, recording, and distribution take organizational resources. Thus, the organization must consider and implement an infrastructure that supports and enables its monitoring needs and capabilities. Finally, the organization must collect, organize, record, and make available the necessary information in a manner that is timely and accurate and that ensures data confidentiality, integrity, and availability.
The Monitoring process area provides essential data necessary to manage several operational resilience management processes. These processes include Incident Management and Control, Vulnerability Assessment and Resolution, Risk Management, and others. From a process improvement perspective, all operational resilience management process areas may rely upon data collected and distributed through monitoring practices as described in this process area.
A program for identifying, recording, collecting, and reporting important resilience information is established and maintained.
Monitoring is not simply a process of accumulating data; instead, it is a process of data collection and distribution with the purpose of providing timely, accurate, complete, and useful information about the current state of operational processes, any potential threats or vulnerabilities, and information about the effectiveness of the organization’s operational resilience management activities.
Monitoring encompasses a wide array of organizational activities that serve many different uses and purposes.
Effective monitoring at an enterprise level is a significant challenge that requires careful planning and program management. Requirements for data collection and distribution must be thoughtfully established by those who need accurate and timely information to manage their processes (commonly referred to as “stakeholders”) and to improve them. The extent to which the organization must establish monitoring as an enterprise-level capability depends on the requirements of stakeholders. In many cases, data can be collected efficiently and distributed to many stakeholders, all of which may have vastly different needs for it.
Of note is that not all monitoring activities may be under the direct control of the organization. For example, if the organization has outsourced security operations, many of the monitoring processes relevant to managing operational resilience will probably be performed by the outsourcer and, in some cases, by one of its subcontractors. It is extremely important for the organization to identify where these monitoring processes are being performed and ensure that monitoring requirements (including the accuracy, validity, and timeliness of data) are being met.
To address monitoring as an organizational competency, the organization must establish a monitoring program and plan and identify stakeholders and their requirements as a foundation for an efficient and effective data collection, organization, and distribution process.
A program for identifying, collecting, and distributing monitoring information is established and maintained.
The monitoring program establishes the organization’s approach to developing, deploying, coordinating, managing, and improving monitoring-related activities (such as data collection and distribution) in order to meet monitoring requirements established by organizational stakeholders. Because monitoring requirements can be vast in scope and breadth, the organization must determine how it can meet these requirements in the most efficient and effective manner.
The organization’s monitoring program must take into consideration the scope and breadth of the activities necessary to meet these goals, including the human resources necessary to fulfill requirements, the funding required for monitoring processes, and any training or skills improvement activities that will be needed to meet requirements.
Typical work products
The plan and program for monitoring should address how the organization will
• identify relevant stakeholders of the monitoring program
• collect monitoring requirements
• analyze and prioritize monitoring requirements
• collect and distribute data to meet the requirements
• establish and enforce collection and distribution guidelines and standards
• coordinate and manage monitoring activities performed by external entities
• store and protect monitoring data
• resource, fund, and perform monitoring activities
The plan and program for monitoring should also provide guidance on the types of assets and services that should specifically be included in monitoring activities (i.e., to provide direction on developing monitoring requirements).
Documented commitments by those responsible for implementing and supporting the plan are essential for program effectiveness.
The organizational and external entities that rely upon information collected from the monitoring process are identified.
Stakeholders of the organization’s monitoring processes are those internal and external people, entities, or agencies that require information about the operational resilience management processes for which they have responsibility and for which they must achieve resilience goals, objectives, and obligations.
Stakeholders are essential to the monitoring process because their requirements shape and form the monitoring activities that the organization performs. The scope of monitoring is in part devised through the needs of stakeholders of the process, and the tangible processes the organization puts in place to perform monitoring are designed around these needs.
Stakeholders range from high-level personnel such as the CEO and CIO to operations-level staff such as system administrators and security guards.
The organization must effectively identify stakeholders of the monitoring process and determine their needs and requirements. The identification process may be difficult but can be enabled by reviewing the organization’s operational resilience management processes and commencing conversations with stakeholders of these processes. For external stakeholders, the organization may begin with a review of significant contracts with external entities or may have conversations with outsourcers.
The establishment of monitoring requirements is addressed in practice MON:SG1.SP3.
Typical work products
Subpractices
The list should include internal and external stakeholders and should be seeded by examining operational resilience management processes and their organizational owners.
To facilitate the organization’s enterprise-level monitoring processes, information about the stakeholders and their specific justification for inclusion in the process should be documented.
The requirements for monitoring operational resilience management processes are established.
The scope of the monitoring activity determines how extensive the organization’s processes must be and may be a deciding factor in how the organization develops and implements appropriate infrastructure to meet the requirements of stakeholders. The scope is a direct reflection of the needs and requirements of stakeholders.
The requirements of stakeholders must clearly establish the information and data that they need on a regular basis to manage, measure, direct, control, and improve processes for which they have responsibility.
Clearly, these requirements will vary widely by stakeholder and will require extensive consideration and planning to satisfy. In addition, while these requirements form the basis for the organization’s program and plan for monitoring, they also establish the requirements for infrastructure that must be implemented and managed to meet the requirements as stated. In some cases, the organization may decide to outsource some of these requirements instead of making permanent investments in infrastructure. (Infrastructure considerations are addressed in MON:SG2.SP1.)
The organization must systematically collect, document, analyze, and prioritize the monitoring requirements from stakeholders. However, the organization may also need to decompose these general requirements into functional requirements that relate to resources and infrastructure. For example, if a system administrator needs to have a daily log of the activity of users with special privileges, this log must be able to be produced (by a system or special program) and delivered to the system administrator or the administrator’s designees. Thus, the monitoring requirement will have to be translated into other requirements (such as the ability for the operating system to produce the report needed) to be satisfied.
Typical work products
Subpractices
Monitoring requirements must be established by stakeholder and documented. Essential information about each requirement must be collected so that the requirements can be analyzed and prioritized.
Monitoring requirements may have to be decomposed to functional requirements in order to determine their feasibility. Functional requirements describe at a detailed level what must be performed to meet the monitoring requirement. At a minimum, functional requirements must specify format, frequency, and source but should also detail infrastructure requirements (if so dependent). If the monitoring requirements will have to be met through a sourcing contract (i.e., via an outsourcer), functional requirements will have to be more extensive so that they can be reflected in requests for proposals (RFPs) and contract terms.
Because monitoring activities can be labor-, time-, and cost-intensive, monitoring requirements must be reviewed and validated on a regular basis. This allows the organization to avoid monitoring activities that are not purposeful and to direct resources to activities that are next on the priority list.
Monitoring requirements are analyzed and prioritized to ensure they can be satisfied.
Once requirements have been established for monitoring processes, the organization must determine if the requirements can be satisfied. Satisfaction of the requirements may result in infrastructure and resource needs that the organization does not currently possess and require expenditures for outsourcing or other arrangements to obtain.
The analysis of monitoring requirements is dependent upon a thorough review of functional requirements. Functional requirements express the potential demands on the organization needed to meet monitoring requirements. If functional requirements cannot be met for any reason (including cost or lack of human resources), alternatives will have to be identified and analyzed (such as outsourcing), or a decision must be made to forgo satisfaction of the requirement.
Because not all monitoring requirements will be able to be met, the organization may need to look at its operational resilience management processes and prioritize requirements so that high-priority needs (such as the detection of events or incidents) are given precedence. Process areas such as Access Management, Vulnerability Analysis and Resolution, Incident Management and Control, Identity Management, and Environmental Control may have significant monitoring needs just to keep them operational and functional.
When the organization cannot meet a requirement, it typically indicates that the information needed to keep operational resilience management processes operating or to improve these processes is not available. In some cases, this may pose additional risk to the organization because events, incidents, vulnerabilities, and threats may go unnoticed or undetected. For example, if the organization is unable to produce a daily log of users who have special privileges and the actions that these users take, there is a potential that unauthorized or inadvertent actions may take place without the organization’s knowledge. Thus, not only is the monitoring requirement unfulfilled, but the organization takes on additional risk by not being able to operate a corresponding detective control. This risk must be identified, characterized, and addressed through the organization’s risk management process.
Typical work products
Subpractices
Analysis should address resource and infrastructure needs. Functional requirements should be a primary consideration in analysis because these requirements may become significant constraints in providing monitoring services.
Not all monitoring requirements may be satisfied due to resource constraints. In addition, some requirements may be of higher priority because they support strategies to protect and sustain higher-priority assets and services. Thus, the organization should attempt to prioritize monitoring requirements so that qualitative decisions can be made regarding which requirements must be satisfied versus those that may be left unsatisfied.
Requirements on which the organization has put a high priority and which it intends to satisfy should be considered accepted requirements, and appropriate processes should be provided to meet these requirements.
Some monitoring requirements may not be able to be satisfied.
The organization should clearly document those requirements that cannot be satisfied, communicate this decision to stakeholders (and attempt to negotiate the requirements, if appropriate), and determine any potential consequences that may result.
In some cases, the inability to satisfy a monitoring requirement may pose additional operational risk to the organization. This is particularly true when monitoring processes are a fundamental part of other operational resilience management processes such as incident management or vulnerability management. In these cases, the inability to satisfy a monitoring requirement should be documented, and any resulting risk should be referred to the organization’s risk management process for analysis and resolution.
The risk management cycle is addressed in the Risk Management process area.
The monitoring process is performed throughout the enterprise.
Monitoring activities are typically thought of as technology-driven and therefore as part of the domain of information technology. In reality, monitoring activities are often performed throughout the organization, take many forms (from service desk calls to automated monitoring of networks and systems), and involve many different people and their skills.
Effective monitoring requires people, processes, and technology that have to be deployed and managed to meet monitoring requirements and provide timely and accurate information to other operational resilience management processes. This requires the establishment of appropriate infrastructure to support the process, collection standards and processes to ensure consistency and accuracy of information, the active collection of data, and the distribution of data to relevant stakeholders.
Depending on resources, the criticality of the monitoring processes, and the objectives for gathering and distributing monitoring data, the organization may perform monitoring processes, establish infrastructure, and distribute information through internal activities or source some or all of these processes to outsourcers. In some cases, monitoring may be included as part of the outsourcing of an organizational service. Thus, monitoring practices can be performed either in-house or by external entities.
A monitoring infrastructure commensurate with meeting monitoring requirements is established and maintained.
Monitoring is a data-collection-intensive activity that is often dependent on support services and technologies to meet requirements. While typically a technology-driven activity, many monitoring processes are manual and people-intensive in nature. Relative to the types of monitoring that the organization requires, an appropriate infrastructure must be established and supported to ensure consistent, accurate, and timely satisfaction of requirements. This infrastructure can encompass people, processes, and technology and will likely make use of the organization’s existing installed base of technology and manual processes. However, in some cases, the supporting infrastructure may extend beyond the organization’s borders to outsourcers and other external entities that help the organization to meet requirements.
Important considerations for an appropriate supporting infrastructure include the protection and timeliness of data collected and distributed. Monitoring data can expose the organization’s weaknesses and therefore must be protected from unauthorized, inappropriate access where it is stored or collected, and in transmission to users and stakeholders. In addition, the timeliness of the collected data is paramount to providing an appropriate response to events, incidents, and threats and other actions the organization may take for improving operational resilience management processes.
In addition to meeting timeliness and protection requirements, the infrastructure should also ensure that the provisions of the organization’s monitoring plan and program can be accomplished.
When the infrastructure is not under the direct control of the organization, special contractual arrangements and provisions should be enacted to ensure that protection and timeliness requirements can be met and that corresponding monitoring requirements can be satisfied.
Subpractices
Monitoring requirements may be able to be met substantially by existing infrastructure and manual processes. Examining existing infrastructure and inventorying existing monitoring capabilities provide the organization an ability to accurately determine additional infrastructure needs and to prepare for meeting them.
Infrastructure needs may range from manual processes to automated, highly technical processes and are predicated on monitoring requirements that have been accepted by the organization.
Based on requirements and existing capabilities, infrastructure requirements have to be articulated and addressed. This process can be aided by examination of the functional requirements that have been developed as a result of analysis of monitoring requirements (as performed in practice MON:SG1.SP3).
Infrastructure needs that cannot be met by the organization (whether technical or manual) may result in the inability to meet monitoring requirements. In this case, the monitoring requirements that cannot be met, and any resulting risk to the organization, should be characterized and addressed by the organization. (See subpractice 3 in MON:SG1.SP4.)
An appropriate infrastructure for supporting monitoring requirements must be implemented and managed to ensure consistent and accurate collection and distribution of data.
The standards and parameters for collecting information and managing data are established.
Because monitoring is fundamentally a data collection activity, the organization should implement standards and parameters that ensure enterprise-wide quality assurance for the monitoring process. These standards and parameters should address data accuracy, completeness, and timeliness and should apply across the organization to ensure consistency and repeatability.
Standards and parameters should also address appropriate measures to store monitoring data, to make it available as needed, and to protect it from unacceptable exposure or use. In addition, relevant historical data may be captured as part of the monitoring process that can also provide a foundation for forensic discovery and analysis. This evidence must be appropriately preserved. (Practices for the appropriate handling of forensic data are specifically addressed in practice IMC:SG2.SP3 in the Incident Management and Control process area.)
Collection of extraneous or irrelevant information may not instill confidence in stakeholders that the monitoring program is operating as planned or is meeting the objectives of the program or monitoring requirements. Thus, standards and parameters should also address the filtering and validation of data to ensure it exhibits high levels of integrity.
When collected and stored, monitoring data creates an organizational asset that must be appropriately managed. (The activities for managing knowledge and information assets are addressed in the Knowledge and Information Management process area.)
Typical work products
Subpractices
Detailed processes, standard operating procedures, or work instructions may be created during monitoring infrastructure implementation, but they will have to be regularly reviewed, tailored, and possibly supplemented to meet ongoing monitoring needs.
Information relevant to the operational resilience management system is collected and recorded.
The basic organizational activities involved in monitoring are data collection and recording. Data collection may be a discrete (i.e., periodic) or continuous activity, depending on the stakeholders’ requirements for immediacy, availability, and usability.
Data collection is dependent on having appropriate media to meet the requirements of stakeholders. These requirements may be infrastructure-related (i.e., involve storage arrays, etc.).
In a broad sense, monitoring is an activity of not only data collection but also usage of this data to protect and sustain organizational assets and services and to monitor and improve operational resilience management processes. However, the Monitoring process area addresses only the establishment of monitoring requirements and the collection and distribution of relevant monitoring data. It does not address the usage of this data to manage operational resilience or to improve operational resilience processes. The usage of monitoring data is considered to be included as a part of all relevant operational resilience management process areas where appropriate and is not replicated in this process area.
Typical work products
Subpractices
Collection methods and procedures must ensure the organization’s ability to meet monitoring requirements (particularly high-priority requirements) with the available infrastructure and capacity.
Ensure that monitoring support staff have received appropriate training to perform the necessary monitoring activities.
Data categorization is addressed in the Knowledge and Information Management process area.
Collected and recorded information is distributed to appropriate stakeholders.
The continuous and effective management of operational resilience is highly dependent on information collected in the monitoring process.
To meet these objectives, monitoring information must be available for use when needed by stakeholders. Thus, the organization must establish viable distribution methods and channels to move collected information to stakeholders as requested in a reliable and consistent manner.
The frequency of distribution of monitoring information is dependent upon the monitoring requirements established by stakeholders. Considering how the monitoring information will be used, stakeholders may require distribution of this information on a discrete basis (i.e., at points in time on a regular basis) or continuously (on demand, highly available). For example, a once-daily report of users who have exercised special privileges may be sufficient for a system security administrator; in contrast, immediate alarms and notifications of potential denial-of-service attacks may be necessary to adequately protect the organization from impact.
The variety and extensiveness of distribution requirements may affect infrastructure capabilities and capacities. Thus, distribution requirements must be included when considering an adequate infrastructure for supporting monitoring processes. (Considerations of monitoring infrastructure are addressed in practice MON:SG2.SP1.)
Distribution of monitoring information may also vary significantly depending on whether the monitoring processes are internal or external. External processes may have to be contractually arranged to meet the distribution demands of stakeholders, so their distribution requirements must be clearly identified in contracts and service level agreements.
Typical work products
Subpractices
Based on requirements for data distribution, the organization should identify the types of media and methods of distribution that will have to be supported to deliver to stakeholders.
In the case of external collection and distribution of data, the media and methods will have to be included in contractual arrangements and service level agreements.
Collection media (as described in practice MON:SG2.SP3) may be the same as media used to distribute information. In other words, if data is collected directly to CD it may also be distributed on CD.
Because monitoring information is a high-value organizational information asset, the protection considerations of this asset must be identified. Appropriate controls may have to be designed and implemented to protect monitoring data from unauthorized use and access. (Considerations of strategies to protect and sustain information assets are addressed in the Knowledge and Information Management process area.)
These plans, processes, and procedures should also take into consideration distribution of monitoring information from external sources.
Monitoring infrastructure is addressed in MON:SG2.SP1.
Refer to the Generic Goals and Practices document in Appendix A for general guidance that applies to all process areas. This section provides elaborations relative to the application of the Generic Goals and Practices to the Monitoring process area.
The operational resilience management system supports and enables achievement of the specific goals of the Monitoring process area by transforming identifiable input work products to produce identifiable output work products.
Perform the specific practices of the Monitoring process area to develop work products and provide services to achieve the specific goals of the process area.
Elaboration:
Specific practices MON:SG1.SP1 through MON:SG2.SP4 are performed to achieve the goals of the monitoring process.
Monitoring is institutionalized as a managed process.
Establish and maintain governance over the planning and performance of the monitoring process.
Refer to the Enterprise Focus process area for more information about providing sponsorship and oversight to the monitoring process.
Subpractices
Elaboration:
Establish and maintain the plan for performing the monitoring process.
Elaboration:
The plan for the monitoring process should not be confused with the monitoring plan and program for identifying, collecting, and distributing specific monitoring data as described in specific practice MON:SG1.SP1. The plan for the monitoring process details how the organization will perform monitoring, including the development of specific monitoring plans and programs.
Subpractices
Provide adequate resources for performing the monitoring process, developing the work products, and providing the services of the process.
Subpractices
Elaboration:
Staff assigned to the monitoring process must have appropriate knowledge of the related processes being monitored and the objectivity to perform monitoring activities without concern for personal detriment and without the expectation of personal benefit.
Refer to the Organizational Training and Awareness process area for information about training staff for resilience roles and responsibilities.
Refer to the Human Resource Management process area for information about acquiring staff to fulfill roles and responsibilities.
Elaboration:
Refer to the Financial Resource Management process area for information about budgeting for, funding, and accounting for monitoring.
Elaboration:
Many of these tools, techniques, and methods should be available as applied to other aspects of organizational monitoring. The intent here is to apply these to operational resilience management.
Assign responsibility and authority for performing the monitoring process, developing the work products, and providing the services of the process.
Elaboration:
Specific practice MON:SG1.SP1 calls for documenting commitments by those responsible for implementing the monitoring plan and program. Specific practice MON:SG1.SP2 calls for documenting the roles and responsibilities of relevant stakeholders.
Refer to the Human Resource Management process area for more information about establishing resilience as a job responsibility, developing resilience performance goals and objectives, and measuring and assessing performance against these goals and objectives.
Subpractices
Elaboration:
Refer to the External Dependencies Management process area for additional details about managing relationships with external entities.
Train the people performing or supporting the monitoring process as needed.
Refer to the Organizational Training and Awareness process area for more information about training the people performing or supporting the process.
Refer to the Human Resource Management process area for more information about inventorying skill sets, establishing a skill set baseline, identifying required skill sets, and measuring and addressing skill deficiencies.
Elaboration:
Elaboration:
Place designated work products of the monitoring process under appropriate levels of control.
Identify and involve the relevant stakeholders of the monitoring process as planned.
Elaboration:
Several MON-specific practices address the involvement of stakeholders in the monitoring process. For example, MON:SG1.SP2 calls for identifying stakeholders that require information about operational resilience management processes for which they are responsible; MON:SG1.SP3 establishes monitoring requirements based on stakeholder requirements and needs.
Subpractices
Elaboration:
Monitor and control the monitoring process against the plan for performing the process and take appropriate corrective action.
Elaboration:
While this practice is self-referencing, practices in the Monitoring process area provide more information about collecting and recording data relevant to operational resilience management processes that can also be applied to the monitoring process.
Refer to the Measurement and Analysis process area for more information about establishing process metrics and measurement.
Refer to the Enterprise Focus process area for more information about providing process information to managers, identifying issues, and determining appropriate corrective actions.
Elaboration:
Elaboration:
Objectively evaluate adherence of the monitoring process against its process description, standards, and procedures, and address non-compliance.
Elaboration:
Review the activities, status, and results of the monitoring process with higher-level managers and resolve issues.
Refer to the Enterprise Focus process area for more information about providing sponsorship and oversight to the operational resilience management system.
Monitoring is institutionalized as a defined process.
Establish and maintain the description of a defined monitoring process.
Establishing and tailoring process assets, including standard processes, are addressed in the Organizational Process Definition process area.
Establishing process needs and objectives and selecting, improving, and deploying process assets, including standard processes, are addressed in the Organizational Process Focus process area.
Subpractices
Collect monitoring work products, measures, measurement results, and improvement information derived from planning and performing the process to support future use and improvement of the organization’s processes and process assets.
Elaboration:
Establishing the measurement repository and process asset library is addressed in the Organizational Process Definition process area. Updating the measurement repository and process asset library as part of process improvement and deployment is addressed in the Organizational Process Focus process area.
Subpractices