What is Continuous Controls Monitoring (CCM)? 

by | Mar 6, 2024 | Blog | 0 comments

What is Continuous Controls Monitoring (CCM) Graphic

In the current state of security compliance, it’s critical to be secure and compliant at all times. No longer is it acceptable to simply be compliant on the day of an assessment, but rather, executives are expected to maintain a comprehensive security compliance program. That’s where Continuous Controls Monitoring comes in.    

Continuous Controls Monitoring (CCM) refers to the use of automated tools and processes to monitor and assess the effectiveness of a company’s controls on a continuous basis. 

Why Should You Care About CCM? 

This is a valid question. The short answer is, CCM can drastically reduce security compliance risks as well as costs of achieving compliance, developing a cyber risk program, and maintaining your compliance program. 

The long answer is to consider how your organization prepares for a cybersecurity assessment, how many resources are spent chasing down technical configurations from security asset owners, and how documenting control readiness and evidence is managed. Meanwhile, when the independent assessor arrives, the fears (often unnecessary) of control gaps come: 

  • Is the evidence requested sufficient enough to reflect the organizational control effectiveness across an entire organization? 
  • Are you hoping and waiting to see if the “sampled” information request passes inspection like playing the lottery? 

Traditionally, to prepare for an assessment, compliance professionals have heavily relied on tools like Excel and Word for managing data collection and reporting processes, while painstakingly requesting screenshots and documentation from subject matter experts across the organization.  

These methods not only consume a considerable amount of time and effort but are also prone to human error resulting in risks going unaddressed. CCM reduces compliance risk by enabling security controls and control owners, allowing for a more streamlined procedure for monitoring and assessing their effectiveness continuously. 

How Does CCM with ASCERA Work? 

Continuous Controls Monitoring with ASCERA leverages system data through existing security technology investments. This maximizes the effectiveness of your organization’s solutions, such as firewalls, intrusion detection systems, and security information and event management (SIEM) platforms by integrating and analyzing data across these systems.  

This data is considered actual state i.e., the actual state of your system in the form of logs and machine-readable data.  

This data feeds into the ASCERA compliance rules engine consisting of regulatory requirements, organization-specific policies, and tailored security control frameworks making up your desired state. The rules engine, in real-time, determines if your environment is meeting the desired state by comparing the system data of your actual state.  

As a result, ASCERA CCM provides you real-time insight into the status of your control effectiveness and alerts your team if your controls are drifting out of compliance. This approach shifts your compliance program into a proactive state, rather than reacting to inconsistent point-in-time assessments.  

Click through the graphics below to see the ASCERA process

Continuously Monitors Controls
Collects and Analyzes Existing Systems Data from your SIEM and other sources
Creates a Body of Evidence and Status Reports

Example 

Control: NIST 800-53: AU-11 Audit Record Retention, NIST 800-171: 3.3.1[e] [f] System Auditing 

Using the CCM methodology, ASCERA compares your logging retention policy (desired state) against existing log records of all log sources and assets in your environment (actual state). As a result, this practice objectively determines if all log sources and assets meet the required retention period to support an investigation of incidents.    

If any log sources or assets in your environment do not meet the log retention requirements, your team will be notified and be able to drill down into the compliance gap to facilitate remediation.   

Your proactive security compliance program will know in real-time if log retention requirements have not been met, and more importantly, your team will have visibility before going into an assessment that all assets are meeting requirements.  

 

Challenges and Considerations with CCM 

  1. Breaking Down Silos: for CCM to work effectively, having technical security teams as the first line of defense will be pivotal to ensuring the actual state of system data is effective. 
    • How ASCERA helps: ASCERA, founded by SIEM experts with previous experience building boutique solutions, brings a depth of consulting and engineering background in both Security Analytics and the Cybersecurity Compliance space to facilitate this proactive culture shift into enabling security with compliance utilizing existing data ingestion.  
  1. Establishing Trust: as with any disruption in an industry that is resistant to change, there is a trust barrier that needs to be bridged. “Trust, but verify” is nothing new to the compliance world. 
    • How ASCERA helps: Built with security analytics expertise, ASCERA reports on the status of system data sources to ensure your organization’s security compliance posture remains accurate and up to date.  

The Future of Continuous Controls Monitoring

With CCM becoming a requirement of the most common security compliance frameworks, understanding the basics is essential. If your organization is seeking compliance certification or needs to maintain its current status, solutions that automate CCM can bolster assurance and convenience. ASCERA is a tool that applies the CCM methodology to bridge the gap between your organization’s actual state and desired state. To learn if it’s a good option for your organization’s CCM needs, chat with one of our solutions advisors today!