This paper examines the increased complexity of the healthcare industry, fueled by increasing reliance on automation, information technology, and the changing regulatory and reform environment. Healthcare organizations face an environment characterized by rapid changes in mandates, technology, and stakeholder expectations, all of which combine to increase the consequences of historical risks and generate new risks. Existing informal, siloed, and reactive risk management processes cannot effectively identify and manage the greatest, strategic-level risks facing the industry. Through years of working with commercial and government clients, Booz Allen Hamilton, a leading strategy and technology consulting firm, has developed a proven strategic risk management methodology to ensure the effective management of these strategic risks.
1. Strengthening Security with
Continuous Monitoring
1
Information security has never been more critical to the
performance of U.S. government agencies and private-
sector enterprises. Today, continuous monitoring is an
indispensable component of an effective security strategy.
Real-time threats, more sophisticated attacks,
compliance requirements, and budget reductions
are converging to make continuous monitoring
an undertaking of paramount importance. Today,
organizations of every type present much larger attack
targets because more of their activities take place
online and through mobile devices. The threats to an
organization’s data and proprietary information are
constant. These are not the much-publicized raids
by amateur hackers—more and more, they include
advanced persistent threats from highly sophisticated
and well-organized sources—including foreign
governments. The vulnerabilities and threats are
multiplying and changing in real time, making the risks
to an organization’s equipment, productivity, intellectual
capital, and reputation more and more complex.
Government and private-sector organizations are
trying to keep pace with the rising threat levels.
However, they are not achieving the dynamic security
levels required because the information security
tools they use are largely static “point solutions,”
with few interconnections and little integration, and
because they often lack the benefits of a centralized,
organizationwide security strategy. Moreover,
organizations face severe operational challenges—
notably the constant pressure to do more with less
funding and fewer resources, while contending with the
demands of burdensome reporting.
What’s needed now is “always-on” vigilance and
solutions for Continuous Diagnostics and Mitigation
(CDM), to provide organizations with Continuous
Monitoring as a Service (CMaaS). The rising number
of incidents and the complexity of threats demand
greater emphasis on developing and implementing
more powerful defenses and countermeasures. In turn,
that calls for a mindset of continuous monitoring, along
with the skills and the solutions to ensure continuous
monitoring becomes part of the information security
fabric of the organization. In particular, that mindset
must evolve to support a culture of risk-based thinking
and a shift toward organizationwide views of data
management, with all the processes and techniques
that this shift involves.
Do you have the resources and the partnerships to
make continuous monitoring a reality?
Booz Allen Can Help You Improve Your
Security Posture Through Continuous
Monitoring
Booz Allen Hamilton, a leading strategy and
technology consulting firm, is the trusted partner
you need to establish and maintain a highly effective
security posture. Booz Allen’s Continuous Monitoring
solutions provide organizations with the automated
capabilities to support timely, cost-effective, risk-based
decisionmaking that uses standardized data feeds,
providing ongoing and historic situational awareness
regarding organizational assets.
Our efficient approach incorporates lessons learned
from large-scale CDM deployments, such as the
Defense Information Systems Agency (DISA), the US
Air Force, and the Department of State. As such,
we understand the complexity of designing and
implementing continuous-monitoring solutions for US
federal government organizations.
We help organizations develop prioritized plans
for implementation and adoption of a continuous
monitoring program, including incremental automation
timed to keep pace with new products, vulnerabilities,
and threats and evolving organizational capabilities. We
further ensure that a continuous-monitoring program
encompasses all monitoring needs across all CMaaS
tool and task areas, including those that cannot
immediately be automated.
With many decades of expertise in information security
compliance, risk management, monitoring, and
Strengthening Security with Continuous Monitoring
2. 2
automation, our teams of industry professionals are
widely recognized as the experts in their fields. We
are closely aligned with the federal government’s cyber
stakeholders, and we understand how cyber programs,
from the National Cybersecurity Protection System
(NCPS) to Cyberscope, must be closely coordinated if
the security postures of .gov and .mil are to benefit
fully. And, because one size does not fit all, we tailor
solutions to your needs to reduce complexity and
enable efficient implementation—ensuring regulatory
compliance while enhancing situational awareness.
Booz Allen is the only solutions provider that brings
together the requisite skills, resources, and experience
to ensure that your continuous-monitoring solution
is implemented efficiently and matched exactly to
your needs. Our multidisciplinary approach integrates
the human capital side of continuous monitoring
with the tools and technology to achieve change.
This approach ensures a holistic solution in which
continuous monitoring is fully integrated and effectively
achieved. Our solutions are integration-ready: we
use a specification-based integration approach and
open industry standards such as Security Content
Automation Protocol (SCAP). Collectively, these
characteristics reduce integration timelines, minimize
complexity, and eliminate the problem of vendor lock-in.
In addition, the skills and approach we have developed
and fine-tuned for government clients are entirely
applicable to commercial enterprises that are ready
to recognize and incorporate the elevated levels of
security provided by continuous monitoring.
Benefits Delivered
By implementing Booz Allen’s Continuous Monitoring
solutions, your security team spends time remediating
instead of simply monitoring and reporting—proactively
and continuously improving security systems rather
than focusing only on compliance with known
security standards.
Our Continuous Monitoring solutions provide the
capability to collect, organize, analyze, and present the
data that enables effective risk-management decisions
and prioritization of the necessary actions, based on
near real-time comprehensive analysis and scoring.
Put simply, we help you to systematically address
the current status of your organization’s ability to
recognize and remediate threats and vulnerabilities.
Our solutions consistently deliver access control,
confidentiality, integrity, and availability while ensuring
that utilization of system resources and staffing
remains flexible.
Organizations that have selected Booz Allen’s
Continuous Monitoring solutions have seen lower
costs as a result of automation. Our solutions reduce
technical complexity and technical risks by using a
proven design and deployment model that provides
economies of scale with rapid deployment, reduced
IT footprint, and premium vendor pricing. It is a
comprehensive approach that meets and exceeds
the 215 defined tool operational requirements and
provides additional functionality and capabilities—for
example, Network Access Control (NAC), hardware and
software asset tagging and management, SCAP ingest,
and publishing—and is ready to meet tomorrow’s
evolving mission needs by incorporating proven
methods such as intelligent scanning and data tagging.
Users of our Continuous Monitoring solutions also
find that their situational awareness shows significant
improvement, and they are better able to pinpoint and
act on deviations from expectations while meeting
compliance objectives more easily. The net result for
decisionmakers is precise knowledge of what it takes
to prioritize the initiatives that will have the most
positive effects on their security posture.
Inside Booz Allen’s Approach
Our solutions leverage an evolving set of standards
and industry-preferred tools for security automation
capabilities—tools designed not only for traditional
data centers but also for the cloud, for mobile-
computing solutions, and to harness and exploit the
information that Big Data provides.
Booz Allen takes a realistic, phased approach to the
implementation of continuous monitoring, knowing that
every organization has its own discrete requirements,
its own mix of resources, its own state of readiness,
3
and its own existing security tool infrastructure.
(See the roadmap illustrated below.) This deliberate
approach enables every organization’s monitoring
capabilities to mature over time. Furthermore, it helps
organizations to manage the significant cultural shift to
risk management as a policy that involves all aspects
of confidentiality, integrity, and availability.
The earliest step involves establishing and maintaining
a continuous-monitoring program—from setting out the
strategy, vision, policies, and procedures and identifying
key stakeholders, to identifying roles and responsibilities
and assigning resources. The next step—performing
continuous monitoring—calls for designing the
appropriate infrastructure; testing, implementing, and
maintaining that infrastructure; and establishing data-
collection guidelines, all the way through to providing key
design documentation. Phase 1 should support asset
management, configuration setting compliance, and
vulnerability management. The third step of the Phase
1 activities guide the organization in institutionalizing
continuous monitoring as a managed process, paying
attention to discrete steps such as establishing process
governance, establishing executive and role-based
training programs, and placing work products under
appropriate levels of control.
Moving on to the second discrete phase, Booz Allen’s
Continuous Monitoring enables the organization to
modify its continuous-monitoring infrastructure based on
a phased approach until all requirements are satisfied,
adding support where necessary (for instance, malware
management) and designing the next release of the
infrastructure based on updated and new requirements.
This phase extends to modifying the continuous-
monitoring process based on collected improvement
information and lessons learned.
At the same time, Booz Allen is careful to incorporate
the human factors inherent in the transition to
continuous monitoring and to automation. We recognize
the importance of project leadership roles; effective,
ongoing communication throughout the organization;
and the meaningful, practical incentives that guide
“real world” behaviors in the workplace. We make sure
this is your security initiative by collaborating closely
with you throughout the phases and being a trusted
advisor to help your organization’s security practices
evolve from labor-intensive custom processes to
processes built on standardized content evaluated by
the government, vendors, testing laboratories, and the
information security community.
Booz Allen’s Record Speaks for Itself
Our experience with managing and mitigating security
risks spans some of the most demanding information
security scenarios across a wide range of US
government agencies. Here is a glimpse of where we
have added significant value:
• Recognized as industry leader in security
measurement and process improvement
• Co-authored National Institute of Standards and
Technology (NIST) Information Security Continuous
Monitoring (ISCM) for Federal Information Systems
Exhibit 1 | Booz Allen Hamilton’s Continuous Monitoring Roadmap
Source: Booz Allen Hamilton
Phase 1 Phase 2
Establish and
Maintain a ConMon
Program
Perform ConMon
Institutionalize
ConMon as a
Managed Process
1 2 3 4 5
Modify the ConMon
Infrastructure Based
on a Phased
Approach Until All
Requirements Are
Satisfied
Modify the ConMon
Process Based on
Collected
Improvement
Information and
Lessons Learned
3. 4
and Organizations (NIST SP 800-137); Framework
Extension: An Enterprise Continuous Monitoring
Technical Reference Architecture; NISTIR 7799
DRAFT Continuous Monitoring Reference Model
Workflow, Subsystem, and Interface Specifications;
NISTIR 7800 DRAFT Applying the Continuous
Monitoring Technical Reference Model to the
Asset, Configuration, and Vulnerability Management
Domains; NISTIR 7848 DRAFT Specification for
the Asset Summary Reporting Format 1.0; NISTIR
7802 Trust Model for Security Automation Data
(TMSAD) Version 1.0; NIST Guide for Applying the
Risk Management Framework to Federal Information
Systems (NIST SP 900-37 rev1)
• Contributed to ISO/IEC standards in information
security
• Developed comprehensive information assurance
(IA) metrics programs for civil/defense agencies
(including the Departments of State, Energy, Army,
and Agriculture)
• Published and presented for CSI, E-Gov IA, ISSEA,
NISSC, PSM, SSTC, NDIA, SEPG, NETSC, and ITSAC
conferences
• Support IT supply chain risk and software assurance
efforts
• Implement SCAP standards into security applications
• Use and develop Open Checklist Interactive Language
(OCIL) content for non-automatable controls
• Provide round-the-clock operations and maintenance
of a global defense infrastructure for which we
plan, provision, configure, customize, operate, and
maintain tools, sensors, and dashboards to enable
continuous-monitoring diagnostics
• Support the development of a solution to facilitate
Federal Information Security Management Act (FISMA)
compliance reporting called Department of Defense
(DoD) Cyberscope (DCS) and the development of
Enterprise Mission Assurance Support Service
(eMASS), which is DoD’s recommended tool for
information system certification and accreditation
Our Services
Booz Allen’s services include:
• Planning and business process reengineering
• Behavioral economics and organizational change
management
• Capabilities to implement all 15 CMaaS functional
areas of tools
• Services to support all 11 CMaaS task areas, from
order planning to tool and sensor operation and
management
• Training and consulting in CDM governance
• Modernization of security management processes
• Automation of compliance checking, vulnerability
management, and security measurement
• Increased compliance with FISMA, Office of
Management and Budget, DoD 8500.2/8510,
Payment Card Industry Data Security Standards (PCI
DSS), and other compliance requirements
• Use of automation to reduce cost of security by
enabling ongoing authorization and data-driven risk
management decisionmaking
• Security metrics and measurement development,
analysis, reporting, and visualization (dashboards)
• Recommendation and implementation of SCAP
technologies and tools
• Customization of SCAP content to help federal
agencies adapt configurations to meet their local
security policies
• Automation of the Federal Desktop Core
Configuration and the US Government Configuration
Baseline implementation and monitoring
• NIST guidance in IA metrics/performance measures
(NIST SP 800-55 and 800-80), Return on Security
Investment (ROSI) (NIST SP 800-65), NIST
Handbook (NIST 800-100), and NIST IR 7756 DRAFT
CAESARS FE
See our ideas in action at www.boozallen.com
5
Contact Information
George Schu
Senior Vice President
schu_george@bah.com
703-377-5001
Daryl Eckard
Principal
eckard_daryl@bah.com
703-377-7271
Lori Sparks
Principal
sparks_lori_l@bah.com
703-984-3362