Example Information Security Continuous Monitoring (ISCM) Plan

Information Security Continuous Monitoring (ISCM) Plan

Bellevue University Administration Office

Version 1.0


The Bellevue University Administration Office’s information security system (hardware, software), protocols, procedures, and policies will all be subjected to clear, strict, and all-encompassing methods to ensure the continuous monitoring of all facets of the security program.

To ensure that the organization maintains situational awareness of all systems, as well as continuously staying ahead of rising threats and threat activities, all infosec and IT staff, as well as department leads, will undergo significant training in regular intervals covering the many aspects of information security at the Administration Office; furthermore, all three groups will conduct mandatory training sessions in regular intervals for all other Administration Office staff. Training will focus on ensuring that best practices are utilized for daily business operations, thus ensuring the success of the collecting and monitoring of data for each security layer in the IT infrastructure.

To further benefit the constant visibility of security controls, as well as their frequent monitoring, data-collection, updating, maintenance, and auditing, certain infosec personnel will be assigned specific tasks, who will the then be assisted by IT staff, all under the direct supervision of the CSO (with steady communication with the CTO). Each staff member (or team) will perform their assigned duties per the ISCM plan and submit weekly or quarterly reports (depending on sophistication or risk of the system(s) involved) to their manager, who in turn will perform a verification of the submitted data and submit all data collected to the CSO; this data, when possible, shall be in two forms: a full detailed report and sophisticated (yet summarized) statistics and media (graphs, charts, etc.)

To provide a more immediate, actionable communication process across all tiers of the organization, we will create (utilizing current ticketing software implemented at Bellevue University) a separate, secure group to be used by the ISCM plan’s members, with varying levels of roles for each tier, enforceable SLA policies, and several automations and edits to enable the quick approval from upper-management regarding significant security concerns and their solutions; by using this system, proper documentation will be compiled in each step of the troubleshooting and solution phase, thus creating a paper trail for legal matters and enabling the weekly and quarterly ISCM reports to be effortlessly compiled with up-to-date and accurate data.

To further strengthen the above security practices of the ISCM, the Bellevue University Administration Office will incorporate various security automation domains which provide and support continuous monitoring, per NIST’s SP800-137 Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations; included in these domains, are Asset Management, Incident Management, and Patch Management. Per the ‘D.1.1 Vulnerability and Patch Management’ security automation domain, to combat the magnitude of security concerns regarding vulnerabilities and improper patch management, Bellevue University will utilize vulnerability scanners and automated patch management tools (which have been authorized, approved, and configured by security middle management.) Infosec and IT staff will perform regular and frequent scans of their assigned information asset quadrant; the data accumulated will then be used in their weekly or quarterly reports.

Event and incident monitoring and management will be governed by NIST’s ‘D.1.2 Event and Incident Management’ security automation domain; under its guidance, infosec staff will use intrusion detection systems and logging tools (which have been authorized, approved, and configured by security middle management), to perform regular and frequent scans of their assigned information asset quadrant; the data accumulated will then be used in their weekly or quarterly reports. All events and incidents shall be thoroughly researched, documented, and logged, following a robust and regulated document created and managed my infosec upper management (under direct supervision from the CSO). By utilizing the extensive data involved with monitoring and logging incidents and events, weekly and quarterly reports shall contain the necessary information to notice patterns, develop solutions, and remedy vulnerabilities (all while granting excellent visibility to upper management and stakeholders).

Bellevue University infosec and IT staff, following NIST’s ‘D.1.4 Asset Management’ security automation domain, shall create and continuously update/review a complete IT asset inventory, including hardware, software, backups, and employee-owned devices (pending organizational-involvement or data). By utilizing network and software license management tools, in conjunction with sophisticated network discovery programs, a complete and detailed list of all currently used (or stored) devices or software owned by the organization shall be kept accurate and secure; this information will be kept in a company-issued document or program, and all tools/programs will be authorized, approved, and configured by security/IT middle management. The asset inventory and management system need to be accessible by other infosec/IT teams, for the tasks of vulnerability, patch, event, and incident management require the ability to view the entire IT infrastructure at a glance.

            Even the most sophisticated information security monitoring plan is nothing without the ability to seamlessly compile the vast amount of data accumulated and form it into a medium that can be understood and acted upon by those who make the tough calls. As I previously mentioned the documentation process, as well as the proper reporting procedures of this ISCM plan, I will now further detail how the Administration Office’s ISCM data will be aggregated and analyzed. Per NIST, “Aggregation and analysis technologies are those that have the capability to collect raw data from one or more security controls or other direct data gathering technologies and correlate, analyze, and represent the raw data in a way that provides a more meaningful perspective on the effectiveness of security control implementation across part or all of an organization than would data from any single technology” (NIST, 2011).

            Per NIST’s D.2.1 Security and Event Management (SIEM), the Bellevue University Administration Office will utilize SIEM centralized logging software tools to compile the vast amount of security data from numerous information system components, such as audits and vulnerability scans. Per NIST’s D.2.2 Management Dashboards, the Administration Office will develop, use, and maintain dashboards which communicate, in real-time, the state of organizational security; by using this form of media, security and IT management, as well as stakeholders, can access the magnitude of associated data in regards to infosec. The use of aggregation and analysis technologies will be enforced, revised continuously, and kept updated to ensure the proper visibility of the status of all security systems, policies, and protocols (NIST, 2011).

            Due to the complication and length of time it takes to perform many of the tasks involved in this ISCM plan, automation will play a key role in meeting and exceeding the expectations of both IT and infosec staff. Through the use of automatic patch and software management tools, as well as automated network discovery and vulnerability scans applications, IT and infosec staff will be able to keep up with the demand of business information processes, as well as ensure the proper confidentiality, integrity, and availability of all organizational data. Per NIST’s D.3.1 Security Content Automation Protocol (SCAP), Bellevue University infosec and IT staff will be able to utilize SCAP’s Product Validation Program, among others, to assist in their daily security operations via the aid of automation. All automation tools, programs, and procedures shall be authorized, approved, and configured by security middle management before use, and continuously audited, monitored, and updated.


Whitman, M. & Mattord, H. (2016). Management of Information Security (6th ed.). Boston, MA: Cengage Learning.

NIST. (2011). SP 800-137: Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. Retrieved February 18, 2020, from



Categories: Security

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s