IBM Cloud Docs
CA-7 - Continuous Monitoring

CA-7 - Continuous Monitoring

Control requirements

The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes:

CA-7 (a)
Establishment of [Assignment: organization-defined metrics] to be monitored;
CA-7 (b)
Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring;
CA-7 (c)
Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;
CA-7 (d)
Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;
CA-7 (e)
Correlation and analysis of security-related information generated by assessments and monitoring;
CA-7 (f)
Response actions to address results of the analysis of security-related information; and
CA-7 (g)
Reporting the security status of organization and the information system to [IBM Assignment: to meet customer requirements] [IBM Assignment: monthly].

Additional IBM Cloud for Financial Services specifications

  • The customer has the right to request and review organization processes, procedures, and documentation (e.g. architecture diagrams, security and control environment, data management, incident management, etc.) in order to validate customer's policy, standards, outsourcing risk management framework, and regulatory requirements are being met by the organization.

Implementation guidance

See the resources that follow to learn more about how to implement this control.

IBM Cloud for Financial Services profile

The rules related to this control that follow are part of the IBM Cloud for Financial Services v1.2.0 profile in IBM Cloud® Security and Compliance Center.

Rules for CA-7 in IBM Cloud for Financial Services v1.2.0 profile
Requirement ID Rules
CA-7 (d)
  • Check whether Container Registry Vulnerability Advisor scans for critical or high vulnerabilities in the system at least every # day(s)
  • Check that Activity Tracker Event Routing is configured to collect global events generated by IBM Cloud services

NIST supplemental guidance

Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess/analyze security controls and information security-related risks at a frequency sufficient to support organizational risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organizations. Continuous monitoring programs also allow organizations to maintain the security authorizations of information systems and common controls over time in highly dynamic environments of operation with changing mission/business needs, threats, vulnerabilities, and technologies. Having access to security-related information on a continuing basis through reports/dashboards gives organizational officials the capability to make more effective and timely risk management decisions, including ongoing security authorization decisions. Automation supports more frequent updates to security authorization packages, hardware/software/firmware inventories, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of information systems.