Upload
l94scribd
View
218
Download
0
Embed Size (px)
Citation preview
8/7/2019 ApplicationPMon
http://slidepdf.com/reader/full/applicationpmon 1/2
Traditionally, information technology (IT) security and capital planning and investment control (CPIC) processes have been performed independently by security and capital planning practitioners. However, the Federal Information Security Management Act (FISMA) of 2002 and other existing federal regulations charge agencies with integrating the two activities. In addition, with increased competitionfor limited federal budgets and resources, agencies must ensure that available funding is applied towards the agencies highest priority IT security investments.
Applying funding towards high-priority security investments supports the objective of maintaining appropriate security controls, both at the enterprise-wide andsystem level, commensurate with levels of risk and data sensitivity. This speci
al publication (SP) introduces common criteria against which agencies can prioritize security activities to ensure that corrective actions identified in the annual FISMA reporting process are incorporated into the capital planning process to deliver maximum security in a cost-effective manner.The implementation of IT security and capital planning practices within the federal government is driven by a combination of legislation, rules and regulations,and agency-specific policies. FISMA requires agencies to integrate IT security
into their capital planning and enterprise architecture processes, conduct annual IT security reviews of all programs and systems, and report the results of tho
se reviews to the Office of Management and Budget (OMB). Therefore, the implementation of FISMA legislation effectively integrates IT security and capital planning because agencies must document resource and funding plans for IT security. Furthermore, implementation of FISMA legislation is intended to ensure that agency resources are protected and risk is effectively managed. It requires that agencies incorporate IT security into the life cycle of their information systems. OMBs FISMA reporting guidance also referenced use the National Institute of Standards and Technology (NIST) SP 800-26, Security Self-Assessment Guide for Information Technology Systems to evaluate agency security programs. The results of theself-assessment should be documented in the agencys annual FISMA report and logged in the agencys plan of action and milestones (POA&M), along with POA&M inputs from other appropriate sources. The agency must then determine the costs and timeframes associated with mitigating the weaknesses identified in the POA&Ms. These
costs are captured in the system or programs annual OMB Exhibit 300 and in the enterprise-wide Exhibit 53, which are the funding vehicles submitted to OMB to secure an operating budget. Figure ES-1 illustrates this process.
Introduction
Monitoring applications to detect and respond to problems - before an end user is even aware that a problem exists - is a common systems requirement, especiallyfor revenue-generating production environments. Most administrators understand
the need for application monitoring. Infrastructure teams, in fact, typically monitor the basic health of application servers by keeping an eye on CPU utilization, throughput, memory usage and the like. However, there are many parts to an a
pplication server environment, and understanding which metrics to monitor for each of these pieces differentiates those environments that can effectively anticipate production problems from those that might get overwhelmed by them.
When applied in an appropriate context, application monitoring is more than justthe data that shows how an application is performing technically. Information s
uch as page hits, frequency and related statistics contrasted against each othercan also show which applications, or portions thereof, have consistently good (
or bad) performance. Management reports generated from the collected raw data can provide insights on the volume of users that pass though the application. An online store, for example, could compare the dollar volume of a particular time segment against actual page hits to expose which pages are participating in higher or lower dollar volumes.
Traditionally, information technology (IT) security and capital planning and investment control (CPIC) processes have been performed independently by security a
8/7/2019 ApplicationPMon
http://slidepdf.com/reader/full/applicationpmon 2/2
nd capital planning practitioners. However, the Federal Information Security Management Act (FISMA) of 2002 and other existing federal regulations charge agencies with integrating the two activities. In addition, with increased competitionfor limited federal budgets and resources, agencies must ensure that available funding is applied towards the agencies highest priority IT security investments.Applying funding towards high-priority security investments supports the objective of maintaining appropriate security controls, both at the enterprise-wide and
system level, commensurate with levels of risk and data sensitivity. This special publication (SP) introduces common criteria against which agencies can prioritize security activities to ensure that corrective actions identified in the annual FISMA reporting process are incorporated into the capital planning process to deliver maximum security in a cost-effective manner.The implementation of IT security and capital planning practices within the federal government is driven by a combination of legislation, rules and regulations,and agency-specific policies. FISMA requires agencies to integrate IT security
into their capital planning and enterprise architecture processes, conduct annual IT security reviews of all programs and systems, and report the results of those reviews to the Office of Management and Budget (OMB). Therefore, the implementation of FISMA legislation effectively integrates IT security and capital plann
ing because agencies must document resource and funding plans for IT security. Furthermore, implementation of FISMA legislation is intended to ensure that agency resources are protected and risk is effectively managed. It requires that agencies incorporate IT security into the life cycle of their information systems. OMBs FISMA reporting guidance also referenced use the National Institute of Standards and Technology (NIST) SP 800-26, Security Self-Assessment Guide for Information Technology Systems to evaluate agency security programs. The results of theself-assessment should be documented in the agencys annual FISMA report and logged in the agencys plan of action and milestones (POA&M), along with POA&M inputs from other appropriate sources. The agency must then determine the costs and timeframes associated with mitigating the weaknesses identified in the POA&Ms. Thesecosts are captured in the system or programs annual OMB Exhibit 300 and in the e
nterprise-wide Exhibit 53, which are the funding vehicles submitted to OMB to se
cure an operating budget. Figure ES-1 illustrates this process.