Continuous monitoring is a process that detects compliance issues with an organization’s IS environment. The United States Department of State performs continuous monitoring on its network of 40,000 computers and 5,000 routers, which support 285 posts throughout the world. It uses the Risk Scoring Program to monitor an information system and assess its security in ten categories. The system receives a score between one and ten in each category, with one representing the highest level of security and ten representing the lowest level of security. The RSP uses these ten scores to assign a single letter grade to the IT professionals responsible for that system, with “F-” being the worst grade and “A” being the best grade. This assessment is performed at least once every two days.
The continuous-monitoring model of the RSP provides IT professionals with their degree of risk, and it also encourages a sense of competition with their peers. The State Department reports that its RSP has reduced the risk of its domestic systems by 83 percent and that of its foreign systems by 84 percent since 2008. The OMB has also implemented a security dashboard to complement CyberScope’s automated reporting capability. This dashboard helps to ensure that CyberScope submits its reports in a timely manner.