Dictionary · NIST SP 800-137

Maintaining ongoing awareness to support organizational risk decisions.

The exposure of proprietary, sensitive, or classified information through either data theft or data leakage.

Any data collected from monitoring and assessments as part of the Information Security Continuous Monitoring (ISCM) strategy.

A program established to collect information in accordance with pre-established metrics, utilizing information readily available in part through implemented security controls.

Maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. [Note: The terms “continuous” and “ongoing” in this context mean that security controls and organizational risks are assessed and analyzed at a frequency sufficient to support risk-based security decisions to adequately protect organization information.]

A process to: • Define an ISCM strategy; • Establish an ISCM program; • Implement an ISCM program; • Analyze data and Report findings; • Respond to findings; and • Review and Update the ISCM strategy and program.

Ongoing monitoring sufficient to ensure and assure effectiveness of security controls related to systems, networks, and cyberspace, by assessing security control implementation and organizational security status in accordance with organizational risk tolerance – and within a reporting structure designed to make real-time, data-driven risk management decisions.

The measure of correctness of implementation (i.e., how consistently the control implementation complies with the security plan) and how well the security plan meets organizational needs in accordance with current risk tolerance.

An information security area that includes a grouping of tools, technologies, and data.

Monitoring the information security metrics defined by the organization in the information security ISCM strategy.