Important aspects to monitor in the cyclical process of the risk management framework include:
- Monitoring Key Updates: Monitoring your update schedule can establish a timeline for system events, and mark progress or performance progressions or problems. System updates are not the only thing that should be continuously monitored. Updates also include refreshing assessments or policy changes, refreshing the documentation to ensure that everyone is on the same page.
- Monitoring Environmental Changes: Monitoring when and why major system changes take place allow you to analyze whether the change was instigated by internal or external stimuli, and helps ascertain whether or not the change was planned or unplanned. This data could prove invaluable for future policy drafts and revisions.
- Monitoring Reports pertaining to Security Status: Monitoring Security Status Reports will keep a system administrator abreast of the current state of each information system, the effectiveness of the currently deployed security measures, and a proper report will reveal weaknesses, deficiencies, or vulnerabilities existing in the information security system.
- Monitoring Security Control Assessments: Although security assessments are addressed in step 4 of the RMF, they should be reviewed again in step 6, as these control assessments can be upgraded pursuant to updated to FISMA revisions and vulnerabilities revealed later on in the System Development Life Cycle that may not have shown themselves earlier on.
- Monitoring Actions Pertaining to Risk Assessment and Remediation: As mentioned in “Monitoring Security Control Assessments” vulnerabilities are often discovered post deployment, and need to be addressed. By monitoring these remediations, an administrator can analyze the nature of of the vulnerability, and include the nature of the corrective actions for use in referral to future remediations or revisions.
- Monitoring Risk Determination and Acceptance: Finally, it is important to monitor ongoing risk determination and it’s acceptance. There is always risk, oftentimes more risk than can be appropriately mitigated. It is up to the authorizing official to determine what risks are considered acceptable. In the ever evolving world of the tech industry, even these acceptable risks can change, so it’s important to monitor the determinations and allowance permitted by the authorizing official, and the mitigating circumstances surrounding the final verdict.