Now that we have a production information system that has been fully authorized to operate by an executive leader with the appropriate authority to accept risk on the behalf of the organization, we now need to begin the process of operations and maintenance.
The operations and management phase for an information system is referred to as continuous monitoring. The purpose behind continuous monitoring is to ensure that the security controls that where designed and tested as part of the information system's development continue to be effective over the life of the system.
In the past, an information security professional would ensure that an information system was adequately protected as it was going into production. After that, the system was treated as secure until the authorizing official or compliance requirements dictated it was time to review the security documentation again. The reality is that an information system does not stay secure for...