This document provides guidance to Cloud Service Providers (CSPs) on FedRAMP's continuous monitoring strategy and requirements for maintaining provisional authorization. It describes roles and responsibilities, expectations for operational visibility, change control processes, required control assessment frequencies, annual self-attestation requirements, and assistance with incident response. CSPs must continuously monitor their systems, report any changes to security controls, and provide annual updates to maintain their FedRAMP authorization.
SAP FI is a module in SAP ERP that handles financial accounting and management. It includes submodules for general ledger, accounts receivable, accounts payable, asset accounting, and other financial functions. This tutorial provides an introduction to SAP FI, its modules, and how to set up key components like the chart of accounts, account groups, posting keys, and document types. It aims to help consultants and professionals learn how to implement and work with the SAP FI module.
Ticketing tools are used to track issues reported by end users and assign them to the appropriate support team. These tools can vary depending on the company and client, but common examples include Remedy, Clarify, and OVSD. A ticketing tool allows support teams to log details of each issue, assign ownership, update on progress, and ultimately resolve the issue. When on call to provide production support, the person would first open and review any high severity tickets, check server logs to diagnose the problem, update stakeholders on their findings and efforts to resolve the issue.
As a functional consultant, When i working with different kind of projects or solving tickets or according to the client requirement, may required basis help to find out something which is more important that time. I got stuck many times and realized that few things functional consultant must know about basis.
Everyday learning a new skill only be positive for your career. SAP professionals who want to know SAP Basis basics, here is my slide share link for all...
The document discusses an SAP R/3 implementation presentation. It covers the purpose and key components of the implementation, which includes multiple sites and countries. It then discusses various topics including the implementation methodology, technical infrastructure, program approach, and challenges of organizational change required for the implementation.
The document outlines a proposed third party risk management program for Ernst Bank. It includes developing a risk assessment methodology to classify vendors. A risk assessment tool would be used to evaluate inherent risk and mitigating controls. The solution involves a three phase approach: 1) Planning the program, 2) Testing the program on a small scale, and 3) Implementing the program organization wide. The program aims to address regulatory requirements and ensure accountability of third party vendors.
Framework of sap mm blueprint by pennonsoftPennonSoft
Pennonsoft is one of the leading top Training and Consulting Company in USA, with a good placement track record. We have certified trainers. We will provide Online Training, Fast Track online training, with job assistance. We are providing excellent Training in all courses. Faculty from top MNC’s with highly skilled domain expertise will Train & Guide you with real time examples, project explanation. We also help you in resume preparation and provide job assistance till you get job.
Our Training Features:
*Online training by certified / experienced Trainers
* Training with Real time Scenarios
* Exercise Handouts / Course pack and Visual Navigations
* Certification Oriented Material, E-Books, Online Doubts Clarification
*Video Navigation Files
*Audio/Visual Presentations
*Certification Preparation Guidance /Mock Tests
*Computer Based Training Files
*Exploring the phases of the Full Life Cycle Implementation
* Exploring Functional/Technical Documentation
*Tips and Techniques for Preparing Certification
* Support candidate in resume preparation, interview preparation
What We Offer You:
*Excellent faculties from all parts of the world – US
* Who got vast experience working with Top-Notch US companies for several years
*Premarketing: Our Premarketing team will assist you with Technical
* Screening, Resume guidance, interview orientation sessions and mock-interviews, before we actually start marketing
* Presentations/ seminars on Real-time scenarios by senior consultants who shares business scenarios and interview questions
* On-job support for the first few months to build your confidence
*100% success rate for motivated and hard-working trainees.
Courses Weoffer:
Hyperion: Essbase, Planning, DRM, HFM, DQM
Oracle: APPS R12 Functional, Project Accounting
DWH: Datastage, Cognos, Cognos TM1, Informatica, Ab initio, Teradata, MSBI, Microstrategy, OBIEE, Oracle Data Integrator (ODI), BODI
SAP : GTS, FICO, BPC, HANA, IS Retail, GRC, BO, BW/BI, FSCM, BASIS, HR/HCM, MDM, SCM, CRM 7.0, BODS, Net weaver, Security, ABAP HR, EP Development, ABAP Workflow,………..and ALL SAP MODULES
Other Courses: Hadoop, Sales Force CRM, Cloud Computing, Crystal Reports……Etc.
Note: We can customize any COURSE as per your requirement.
Contact Us
Pennonsoft Info Solutions.
Broad St, Greendale,
WI 53129
Call us : (414) 433-4823 / (414) 433-4825
This document provides a user manual for material movements in SAP, including goods receipt, reservation, transfer posting, goods issue, goods movement, outbound delivery, returnable gatepass, non-returnable gatepass, and physical verification. It includes over 30 individual procedures for each transaction type, describing the key fields, steps, and expected outputs. The goal is to guide users through the various inventory movement processes in SAP for materials management.
04 movement types and transfer requirementAsha Panda
This document defines warehouse management (WM) movement types and transfer requirements (TR) in SAP. It explains how to assign inventory management (IM) movement types to WM reference movement types, which determines the corresponding WM movement type. IM movement types not involving WM are assigned to reference type 999. It describes how TR numbers are defined and how manual and immediate TR creation can be controlled based on WM movement types. Finally, it lists some common goods movements that typically result in TR creation, such as transfers between IM and WM locations and goods issue/receipts.
SAP FI is a module in SAP ERP that handles financial accounting and management. It includes submodules for general ledger, accounts receivable, accounts payable, asset accounting, and other financial functions. This tutorial provides an introduction to SAP FI, its modules, and how to set up key components like the chart of accounts, account groups, posting keys, and document types. It aims to help consultants and professionals learn how to implement and work with the SAP FI module.
Ticketing tools are used to track issues reported by end users and assign them to the appropriate support team. These tools can vary depending on the company and client, but common examples include Remedy, Clarify, and OVSD. A ticketing tool allows support teams to log details of each issue, assign ownership, update on progress, and ultimately resolve the issue. When on call to provide production support, the person would first open and review any high severity tickets, check server logs to diagnose the problem, update stakeholders on their findings and efforts to resolve the issue.
As a functional consultant, When i working with different kind of projects or solving tickets or according to the client requirement, may required basis help to find out something which is more important that time. I got stuck many times and realized that few things functional consultant must know about basis.
Everyday learning a new skill only be positive for your career. SAP professionals who want to know SAP Basis basics, here is my slide share link for all...
The document discusses an SAP R/3 implementation presentation. It covers the purpose and key components of the implementation, which includes multiple sites and countries. It then discusses various topics including the implementation methodology, technical infrastructure, program approach, and challenges of organizational change required for the implementation.
The document outlines a proposed third party risk management program for Ernst Bank. It includes developing a risk assessment methodology to classify vendors. A risk assessment tool would be used to evaluate inherent risk and mitigating controls. The solution involves a three phase approach: 1) Planning the program, 2) Testing the program on a small scale, and 3) Implementing the program organization wide. The program aims to address regulatory requirements and ensure accountability of third party vendors.
Framework of sap mm blueprint by pennonsoftPennonSoft
Pennonsoft is one of the leading top Training and Consulting Company in USA, with a good placement track record. We have certified trainers. We will provide Online Training, Fast Track online training, with job assistance. We are providing excellent Training in all courses. Faculty from top MNC’s with highly skilled domain expertise will Train & Guide you with real time examples, project explanation. We also help you in resume preparation and provide job assistance till you get job.
Our Training Features:
*Online training by certified / experienced Trainers
* Training with Real time Scenarios
* Exercise Handouts / Course pack and Visual Navigations
* Certification Oriented Material, E-Books, Online Doubts Clarification
*Video Navigation Files
*Audio/Visual Presentations
*Certification Preparation Guidance /Mock Tests
*Computer Based Training Files
*Exploring the phases of the Full Life Cycle Implementation
* Exploring Functional/Technical Documentation
*Tips and Techniques for Preparing Certification
* Support candidate in resume preparation, interview preparation
What We Offer You:
*Excellent faculties from all parts of the world – US
* Who got vast experience working with Top-Notch US companies for several years
*Premarketing: Our Premarketing team will assist you with Technical
* Screening, Resume guidance, interview orientation sessions and mock-interviews, before we actually start marketing
* Presentations/ seminars on Real-time scenarios by senior consultants who shares business scenarios and interview questions
* On-job support for the first few months to build your confidence
*100% success rate for motivated and hard-working trainees.
Courses Weoffer:
Hyperion: Essbase, Planning, DRM, HFM, DQM
Oracle: APPS R12 Functional, Project Accounting
DWH: Datastage, Cognos, Cognos TM1, Informatica, Ab initio, Teradata, MSBI, Microstrategy, OBIEE, Oracle Data Integrator (ODI), BODI
SAP : GTS, FICO, BPC, HANA, IS Retail, GRC, BO, BW/BI, FSCM, BASIS, HR/HCM, MDM, SCM, CRM 7.0, BODS, Net weaver, Security, ABAP HR, EP Development, ABAP Workflow,………..and ALL SAP MODULES
Other Courses: Hadoop, Sales Force CRM, Cloud Computing, Crystal Reports……Etc.
Note: We can customize any COURSE as per your requirement.
Contact Us
Pennonsoft Info Solutions.
Broad St, Greendale,
WI 53129
Call us : (414) 433-4823 / (414) 433-4825
This document provides a user manual for material movements in SAP, including goods receipt, reservation, transfer posting, goods issue, goods movement, outbound delivery, returnable gatepass, non-returnable gatepass, and physical verification. It includes over 30 individual procedures for each transaction type, describing the key fields, steps, and expected outputs. The goal is to guide users through the various inventory movement processes in SAP for materials management.
04 movement types and transfer requirementAsha Panda
This document defines warehouse management (WM) movement types and transfer requirements (TR) in SAP. It explains how to assign inventory management (IM) movement types to WM reference movement types, which determines the corresponding WM movement type. IM movement types not involving WM are assigned to reference type 999. It describes how TR numbers are defined and how manual and immediate TR creation can be controlled based on WM movement types. Finally, it lists some common goods movements that typically result in TR creation, such as transfers between IM and WM locations and goods issue/receipts.
Best Practices for Ensuring SAP ABAP Code Quality and SecurityVirtual Forge
This document discusses best practices for ensuring ABAP code quality and security. It notes that today's practices often involve manual code reviews and basic testing tools with limitations. The document recommends online scanning during development, testing all outsourced code, and automatic scanning of all ABAP changes. Following these best practices can help lower risks of vulnerabilities, lower costs through earlier defect detection, and ensure compliance. An optional complimentary code scan is offered to analyze risks in a company's own ABAP code.
The document describes the ASAP Roadmap, which provides guidance through five phases of an SAP implementation project: 1) Project Preparation, 2) Business Blueprint, 3) Realization, 4) Final Preparation, and 5) Go-Live and Support. It outlines key activities in each phase, including initial planning, configuring business processes, user acceptance testing, training, go-live, and post go-live support. The roadmap is intended to provide a clear plan for implementing an SAP project from start to finish.
This document provides an overview of SAP's audit management functionality, including the phases of audit management, configuration, and roles. It describes how audit management facilitates systematic audits by defining question lists, executing audits, evaluating results, and managing corrective actions. Key data objects like question lists, audit plans, and corrective actions are also summarized.
This document discusses risk management according to the ISO 27001 standard. It outlines the key elements of risk assessment, including identifying assets, threats, vulnerabilities, impact, and likelihood. The process of risk management involves six steps: identifying threats, assessing inherent risk, identifying controls, identifying vulnerabilities, determining residual risk, and creating a risk treatment plan. Proper risk management is proactive and helps control possible future events over the life of a project.
This document provides a mapping between the requirements of ISO/IEC 27001:2005 and ISO/IEC 27001:2013. It includes tables that map the ISMS requirements and Annex A controls between the two versions, noting new, unchanged, deleted and reverse requirements. The purpose is to provide guidance on the changes between the standards.
This document summarizes a capstone project for a daycare software application. It includes an overview of the project context, assumptions, people who work at the daycare, contextual and ERD diagrams, employee webpages, technical details of the application, security measures, testing done, and a request for questions.
This document discusses how Android fits into the enterprise workplace by providing security features and APIs for managing devices. It describes how IT departments demand data security, device management and controlled application deployment from employee phones. The Device Administration API allows "security aware" apps to enforce policies like password requirements, remote wiping of devices and disabling of features. Key aspects of the API include DeviceAdminReceiver for handling events, DevicePolicyManager for managing policies, and metadata for defining allowed usage policies.
The document provides guidance for directors on reviewing the effectiveness of internal control systems, as outlined in the Combined Code on Corporate Governance. It discusses responsibilities of directors and management, and emphasizes that effective internal control is best achieved through ongoing, embedded processes rather than a single annual review. The guidance requires regular review of internal control systems beginning December 2000, and outlines recommendations for implementation.
This document summarizes the steps in a production order that includes external processing and quality checks. It involves:
1) Creating a production order for a hexagon bolt with an external processing operation.
2) Generating a purchase requisition and purchase order for the external operation.
3) Receiving the goods from the external vendor.
4) Performing in-process and final inspections with quality management and updating the stock.
This complete deck can be used to present to your team. It has PPT slides on various topics highlighting all the core areas of your business needs. This complete deck focuses on Operational Risk Assessment Powerpoint Presentation Slides and has professionally designed templates with suitable visuals and appropriate content. This deck consists of total of twenty four slides. All the slides are completely customizable for your convenience. You can change the colour, text and font size of these templates. You can add or delete the content if needed. Get access to this professionally designed complete presentation by clicking the download button below.
This document discusses a facial expression recognition system using deep learning methods. It summarizes that facial expression recognition involves pre-processing, face detection, feature extraction, and expression classification. The project aims to identify seven human emotions (anger, disgust, fear, happiness, sadness, surprise, neutral) using deep learning models. It outlines the software and hardware requirements needed and provides an overview of the data flow and algorithms used, which involve collecting labeled image data, pre-processing, face detection, converting to grayscale, passing images through convolutional and pooling layers during training.
This document provides guidance on configuring service documents and pricing procedures in SAP MM. It discusses setting up number ranges for service purchase orders and entry sheets. It also explains how to configure service pricing procedures by maintaining condition types, access sequences, condition tables, calculation schemas and schema assignments. Configuring these service documents and pricing elements correctly is important for accurate service procurement and invoicing in SAP MM.
Isms Implementer Course Module 1 Introduction To Information Securityanilchip
This is the Module 1 of ISMS implementation course - is a 3 days hands-on course with case studies. This sample module also has an audio attached to the presentation so while running the file please ensure your audio is switched to ON.
ISO 27001:2013 Implementation procedureUppala Anand
This document outlines 35 steps to implement an ISO 27001:2013 information security management system (ISMS) from scratch. The steps are divided into four phases: plan, do, check, and act. The planning phase involves obtaining management approval, understanding the organization and its needs, defining the ISMS scope and objectives. The doing phase includes performing risk assessments, selecting controls, and implementing risk treatment plans. The checking phase consists of monitoring performance, auditing, and collecting feedback. The acting phase is for reviewing performance, deciding on improvements, and planning corrective actions.
This document discusses Wipro's experience helping a customer transition from their existing SIEM platform to Splunk for security monitoring and analytics. It describes how Wipro guided the customer through a two-phase implementation: first standing up a hybrid on-premise/cloud Splunk deployment to address immediate needs, and now expanding that deployment to 500GB/day in Splunk Cloud and 200GB/day on-premise to accommodate growing data and use cases. The transition yielded significant improvements in search performance, data ingestion and parsing flexibility, and enhanced security visualization and analytics capabilities.
Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018Schellman & Company
ISO 27017 /27018 is the first international code of practice that focuses on protection of personal data in the cloud. It is based on ISO information security standard 27002 and provides implementation guidance on ISO 27002 controls applicable to public cloud Personally Identifiable Information (PII).
Discover:
• Background of ISO 27017 and 27018
• Scope and Purpose
• Comparison with ISO 27001 and 27002
• Future of ISO 27017 with ISO 27018
• Challenges and Benefits
• Certification Process and Next Steps
This document discusses measuring information security programs through metrics and key performance indicators (KPIs). It provides an overview of why measuring security programs is important, how to develop metrics and KPIs, and examples of metrics that could be used. The presentation recommends developing a security scorecard with regular measurements to assess the effectiveness of a security program and identify areas for improvement through a continuous process of analysis, reporting, rationalization, and prioritization of actions.
Certified Risk and Compliance Management Professional (CRCMP) Prep Course Pa...Compliance LLC
Certified Risk and Compliance Management Professional (CRCMP) Prep Course – Part A
First Certified Course
Certified Risk and Compliance Management Professional (CRMCP)
This course has been designed to provide with the knowledge and skills needed to understand and support regulatory compliance and enterprise wide risk management, and to promote best practices and international standards that align with business and regulatory requirements.
The course provides with the skills needed to pass the Certified Risk and Compliance Management Professional (CRCMP) exam.
This course is intended for professionals that want to understand risk and compliance and to work as risk and compliance officers. They will prove that they are qualified, when they pass the Certified Risk and Compliance Management Professional (CRCMP) exam.
This course is intended for employers demanding qualified risk and compliance professionals. The course is recommended for senior executives involved in risk and compliance.
Proactive End-User Experience Monitoring of Enterprise IT Servicestechweb08
Hypersoft is a company that specializes in monitoring end-user experience of enterprise IT services. It has over 200 customers and monitors over 2 million users. The document discusses defining business transactions to monitor, different techniques for measuring user experience including actual user monitoring and synthetic transaction probing, and combining various monitoring approaches. It emphasizes the importance of focusing on business-level transactions and metrics that are comprehensible to stakeholders in order to proactively ensure high quality of experience.
Best Practices for Ensuring SAP ABAP Code Quality and SecurityVirtual Forge
This document discusses best practices for ensuring ABAP code quality and security. It notes that today's practices often involve manual code reviews and basic testing tools with limitations. The document recommends online scanning during development, testing all outsourced code, and automatic scanning of all ABAP changes. Following these best practices can help lower risks of vulnerabilities, lower costs through earlier defect detection, and ensure compliance. An optional complimentary code scan is offered to analyze risks in a company's own ABAP code.
The document describes the ASAP Roadmap, which provides guidance through five phases of an SAP implementation project: 1) Project Preparation, 2) Business Blueprint, 3) Realization, 4) Final Preparation, and 5) Go-Live and Support. It outlines key activities in each phase, including initial planning, configuring business processes, user acceptance testing, training, go-live, and post go-live support. The roadmap is intended to provide a clear plan for implementing an SAP project from start to finish.
This document provides an overview of SAP's audit management functionality, including the phases of audit management, configuration, and roles. It describes how audit management facilitates systematic audits by defining question lists, executing audits, evaluating results, and managing corrective actions. Key data objects like question lists, audit plans, and corrective actions are also summarized.
This document discusses risk management according to the ISO 27001 standard. It outlines the key elements of risk assessment, including identifying assets, threats, vulnerabilities, impact, and likelihood. The process of risk management involves six steps: identifying threats, assessing inherent risk, identifying controls, identifying vulnerabilities, determining residual risk, and creating a risk treatment plan. Proper risk management is proactive and helps control possible future events over the life of a project.
This document provides a mapping between the requirements of ISO/IEC 27001:2005 and ISO/IEC 27001:2013. It includes tables that map the ISMS requirements and Annex A controls between the two versions, noting new, unchanged, deleted and reverse requirements. The purpose is to provide guidance on the changes between the standards.
This document summarizes a capstone project for a daycare software application. It includes an overview of the project context, assumptions, people who work at the daycare, contextual and ERD diagrams, employee webpages, technical details of the application, security measures, testing done, and a request for questions.
This document discusses how Android fits into the enterprise workplace by providing security features and APIs for managing devices. It describes how IT departments demand data security, device management and controlled application deployment from employee phones. The Device Administration API allows "security aware" apps to enforce policies like password requirements, remote wiping of devices and disabling of features. Key aspects of the API include DeviceAdminReceiver for handling events, DevicePolicyManager for managing policies, and metadata for defining allowed usage policies.
The document provides guidance for directors on reviewing the effectiveness of internal control systems, as outlined in the Combined Code on Corporate Governance. It discusses responsibilities of directors and management, and emphasizes that effective internal control is best achieved through ongoing, embedded processes rather than a single annual review. The guidance requires regular review of internal control systems beginning December 2000, and outlines recommendations for implementation.
This document summarizes the steps in a production order that includes external processing and quality checks. It involves:
1) Creating a production order for a hexagon bolt with an external processing operation.
2) Generating a purchase requisition and purchase order for the external operation.
3) Receiving the goods from the external vendor.
4) Performing in-process and final inspections with quality management and updating the stock.
This complete deck can be used to present to your team. It has PPT slides on various topics highlighting all the core areas of your business needs. This complete deck focuses on Operational Risk Assessment Powerpoint Presentation Slides and has professionally designed templates with suitable visuals and appropriate content. This deck consists of total of twenty four slides. All the slides are completely customizable for your convenience. You can change the colour, text and font size of these templates. You can add or delete the content if needed. Get access to this professionally designed complete presentation by clicking the download button below.
This document discusses a facial expression recognition system using deep learning methods. It summarizes that facial expression recognition involves pre-processing, face detection, feature extraction, and expression classification. The project aims to identify seven human emotions (anger, disgust, fear, happiness, sadness, surprise, neutral) using deep learning models. It outlines the software and hardware requirements needed and provides an overview of the data flow and algorithms used, which involve collecting labeled image data, pre-processing, face detection, converting to grayscale, passing images through convolutional and pooling layers during training.
This document provides guidance on configuring service documents and pricing procedures in SAP MM. It discusses setting up number ranges for service purchase orders and entry sheets. It also explains how to configure service pricing procedures by maintaining condition types, access sequences, condition tables, calculation schemas and schema assignments. Configuring these service documents and pricing elements correctly is important for accurate service procurement and invoicing in SAP MM.
Isms Implementer Course Module 1 Introduction To Information Securityanilchip
This is the Module 1 of ISMS implementation course - is a 3 days hands-on course with case studies. This sample module also has an audio attached to the presentation so while running the file please ensure your audio is switched to ON.
ISO 27001:2013 Implementation procedureUppala Anand
This document outlines 35 steps to implement an ISO 27001:2013 information security management system (ISMS) from scratch. The steps are divided into four phases: plan, do, check, and act. The planning phase involves obtaining management approval, understanding the organization and its needs, defining the ISMS scope and objectives. The doing phase includes performing risk assessments, selecting controls, and implementing risk treatment plans. The checking phase consists of monitoring performance, auditing, and collecting feedback. The acting phase is for reviewing performance, deciding on improvements, and planning corrective actions.
This document discusses Wipro's experience helping a customer transition from their existing SIEM platform to Splunk for security monitoring and analytics. It describes how Wipro guided the customer through a two-phase implementation: first standing up a hybrid on-premise/cloud Splunk deployment to address immediate needs, and now expanding that deployment to 500GB/day in Splunk Cloud and 200GB/day on-premise to accommodate growing data and use cases. The transition yielded significant improvements in search performance, data ingestion and parsing flexibility, and enhanced security visualization and analytics capabilities.
Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018Schellman & Company
ISO 27017 /27018 is the first international code of practice that focuses on protection of personal data in the cloud. It is based on ISO information security standard 27002 and provides implementation guidance on ISO 27002 controls applicable to public cloud Personally Identifiable Information (PII).
Discover:
• Background of ISO 27017 and 27018
• Scope and Purpose
• Comparison with ISO 27001 and 27002
• Future of ISO 27017 with ISO 27018
• Challenges and Benefits
• Certification Process and Next Steps
This document discusses measuring information security programs through metrics and key performance indicators (KPIs). It provides an overview of why measuring security programs is important, how to develop metrics and KPIs, and examples of metrics that could be used. The presentation recommends developing a security scorecard with regular measurements to assess the effectiveness of a security program and identify areas for improvement through a continuous process of analysis, reporting, rationalization, and prioritization of actions.
Certified Risk and Compliance Management Professional (CRCMP) Prep Course Pa...Compliance LLC
Certified Risk and Compliance Management Professional (CRCMP) Prep Course – Part A
First Certified Course
Certified Risk and Compliance Management Professional (CRMCP)
This course has been designed to provide with the knowledge and skills needed to understand and support regulatory compliance and enterprise wide risk management, and to promote best practices and international standards that align with business and regulatory requirements.
The course provides with the skills needed to pass the Certified Risk and Compliance Management Professional (CRCMP) exam.
This course is intended for professionals that want to understand risk and compliance and to work as risk and compliance officers. They will prove that they are qualified, when they pass the Certified Risk and Compliance Management Professional (CRCMP) exam.
This course is intended for employers demanding qualified risk and compliance professionals. The course is recommended for senior executives involved in risk and compliance.
Proactive End-User Experience Monitoring of Enterprise IT Servicestechweb08
Hypersoft is a company that specializes in monitoring end-user experience of enterprise IT services. It has over 200 customers and monitors over 2 million users. The document discusses defining business transactions to monitor, different techniques for measuring user experience including actual user monitoring and synthetic transaction probing, and combining various monitoring approaches. It emphasizes the importance of focusing on business-level transactions and metrics that are comprehensible to stakeholders in order to proactively ensure high quality of experience.
The document discusses the importance of buzz monitoring strategies for businesses, noting that social media now influences search engine results and legitimate consumer voices must be actively heard. It outlines key areas to monitor like products, brands, and competition, and recommends metrics and tools companies can use to measure buzz, understand consumer insights, and mitigate any negative coverage.
Monitoring the Enterprise: Examples and Best PracticesCody Eding
This document discusses monitoring best practices and examples. It recommends proactively monitoring systems and services rather than reacting to issues. This allows for improved customer satisfaction and justification for changes. The document explores options for what to monitor, factors to consider like resources, and examples of state and process monitoring using tools like Nagios, PowerShell, and vRealize. Best practices discussed include automating monitoring, setting sane thresholds, and generating only actionable alerts.
AppSphere 15 - How Your Monitoring Strategy Needs to Evolve for Single Page AppsAppDynamics
Apps are continually changing: the way users engage with and find new content and application types is becoming more engaging. The key user interface change creating these compelling applications are single page apps. Measuring these is a challenge due to the number of frameworks and technologies used today. AppDynamics has created compelling new technology to measure real user experience for these new frameworks.
Key takeaways:
- Why customers choose Single Page App frameworks to deliver better user experiences
- A model for effectively monitoring the performance of SPA apps
- How AppD delivers on this model with a focus on Angular.js
- How to think about "asyncronous" calls in a SPA world
This deck was originally shared at AppSphere 2015.
This document provides an overview of the FedRAMP process for obtaining security authorization for cloud systems. It describes the objectives of FedRAMP, including establishing a standardized approach to assessing and authorizing cloud systems. The document then outlines the key stages of the FedRAMP process from the perspective of a cloud service provider, including initiation, security assessment, and continuous monitoring. It provides examples of documents involved in each stage, such as the system security plan, security assessment plan, and continuous monitoring materials. The overall goal of FedRAMP is to increase security and oversight of cloud systems supporting government agencies.
FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...James W. De Rienzo
Print report contains conditional formatting and printer settings to enhance comprehension for for Cloud Service Providers (CSP) as well as Federal and Departmental Agencies.
Event Management and Monitoring StrategyJames Gingras
The document outlines an event management and monitoring strategy with the goals of improving IT capabilities and demonstrating business value. Key aspects of the strategy include defining stakeholders, processes, and metrics for event management and monitoring, and establishing a roadmap to develop the program over the next two years. The current state monitors all events but only acts on significant events, and the future state aims to provide monitoring at the service level.
This presentation discusses how the monitoring strategy has evolved given the changes in web applications and infrastructure. With the advent of public/private clouds and containers, the old paradigms of application instrumentation and infrastructure monitoring are no longer that relevant. The application landscape is also undergoing significant changes with monolith applications being split up into micro-services. Asynchronous programming has become an integral part of high-performance web applications. Finally, many of the companies today are “Mobile First” which means that the monitoring of apps in mobile devices has now become very important. To top it all, the release cycle has reduced drastically as part of “Iterate Fast and Release Often” philosophy. Learn how some of these changes should be taken into account while coming up with the monitoring strategy of your organization in the long run.
IoT in the Enterprise: Why Your Monitoring Strategy Should Include Connected ...AppDynamics
1) IoT devices are becoming more common in enterprises and can impact business services and applications.
2) AppDynamics' vision is to provide an end-to-end solution to monitor all types of applications, devices, and connections from edge to cloud.
3) Problems with IoT devices and their data can originate from issues with the devices themselves or from the large volumes of data aggregated from many devices, as two customers discovered.
Recommended Design Considerations for Enterprise Monitoring Prolifics
This document discusses recommendations for enterprise monitoring using IBM's Tivoli Composite Application Manager (ITCAM) and Netcool OMNIbus. It recommends: 1) standardizing situations in ITM to focus on specific monitoring areas, 2) utilizing situation actions in ITM to model responses, and 3) modifying events in Tivoli probes to have a common format within Netcool OMNIbus for improved event management. The presentation provides an overview of the IBM monitoring tools and perspectives, and emphasizes establishing a foundation for long-term monitoring strategy and improvement.
04 strategy evaluation & monitoring (updating)Ibrahim Alhariri
This document discusses strategy evaluation and monitoring. It highlights the importance of strategy evaluation and monitoring, identifies who should be involved, and explains differences between cost-benefit analysis and return on investment. It also suggests proactive and reactive measures to cope with changing circumstances and shares tips on changing and implementing business strategy. The document contains several sections that discuss strategy execution at different organizational levels, evaluating company strategies, challenges of strategy execution, building an effective organization, and tips for successful strategy implementation.
Climb Out of Your Monitoring Silo – Enable Real End-to-End Visibility for You...SL Corporation
Are you responsible for keeping your company’s critical application running optimally on a heterogeneous stack? How do you pull it all together? And how do you know if a problem is related to the application, the middleware or the physical or virtual infrastructure it runs on?
RTView Enterprise Monitor is the solution that solves this problem for hundreds of Fortune 500 and Global 1000 companies. Watch the recording and learn how the world’s largest and most demanding clients have centralized their monitoring and alerting for hundreds of custom, complex applications, and saved millions of dollars in the process.
DevOps monitoring: Feedback loops in enterprise environmentsJonah Kowall
This presentation was given at TopConf Tallinn in May 2015.
Title: Driving the DevOps feedback loop in the Enterprise
Description (brief overview for marketing purposes, max. length 400 characters-about 65 words):
DevOps requires feedback loops backed by consistent data, within enterprises many layers of tools make visibility a challenge. This session outlines modernizing monitoring and providing the right data collection capabilities to support agile application operations. This session will outline the use of open source and commercial software solutions which fit startups to the enterprise.
Abstract (Longer, more detailed description (3-6 paragraphs, bullet points welcome) of your presentation to help the program committee understand what you will cover. Please keep in mind that if your proposal is chosen, this abstract will also appear on the website to help conference attendees decide if it's right for them.):
Enterprises do not have the benefit of starting from scratch, they must implement DevOps in an existing environment, often managing heritage investments along with fast moving projects. The monitoring tools unfortunately fall into the same category. These complex, dated, and costly monitoring tools don’t meet today’s needs in providing the visibility required for agile development that leverage continuous delivery and DevOps. Not only are the tools an issue, but the visibility and approaches are also problematic.
The use of open source tools has been the de facto approach for DevOps, but this approach comes with it’s own set of challenges in terms of managing a complex stack of tools with varying quality of support/community. The move to a metrics-driven feedback loop enables teams to act fast at any stage of the product lifecycle. We will outline common technology stacks and approaches using graphite, statsd, and collectd along with nagios, munin, and other system monitoring tools. We will also outline commercial solutions, and how these tools tend to fall into silos as well.
Monitoring must be reformed with new platforms and technologies, fitting specific design patterns which meet the needs of DevOps teams, these will be outlined and explained from a requirements perspective, providing a roadmap for how to apply these learnings inside your company. Join this session to take back an evolved approach to unified monitoring and how you can get your company to be metrics driven
Attendees of this session will walk away with a clear understanding of:
Understanding today’s tooling limitations
Open source tool sprawl issues
Fundamental patterns of monitoring
How these will be solved in the future
Continuous Monitoring: Monitoring Strategy – Part 2 of 3EMC
This white paper is part two of a three-part series on successfully managing a continuous monitoring (CM) program. It addresses monitoring strategy, including the frequency and method of assessments.
This document provides guidelines for protecting Special Access Program information within Department of Defense information systems. It establishes roles and responsibilities, defines protection levels based on levels of concern, and outlines security requirements for confidentiality, integrity, availability, interconnected systems, advanced technologies, administrative procedures, and risk management/certification processes. The guidelines are applicable to all government and contractor personnel involved in DoD special access programs.
Resource Paper of Enterprise-Wide Deployment of EDMGlen Alleman
The acquisition of an Enterprise–wide software system requires careful planning and execution of a multitude of activities unrelated to the actual software systems being deployed.
The document provides an overview of the FedRAMP program, which aims to standardize how federal agencies assess and authorize the use of cloud services. It establishes a "do once, use many times" framework to reduce duplication and costs. Key elements include a Concept of Operations, stakeholders like agencies and cloud service providers, a phased implementation approach, and processes for security assessments and leveraging provisional authorizations across agencies.
MIL-STD-498, dated 5 December 1994, is hereby canceled. Information
regarding software development and documentation is now contained in the Institute of
Electrical and Electronics Engineers (IEEE)/Electronics Industries Association (EIA)
standard, IEEE/EIA 12207, “Information technology-Software life cycle processes”.
IEEE/EIA 12207 is packaged in three parts. The three parts are: IEEE/EIA 12207.0,
“Standard for Information Technology-Software life cycle processes”; IEEE/EIA
12207.1, “Guide for ISO/IEC 12207, Standard for Information Technology-Software life
cycle processes-Life cycle data”; and IEEE/EIA 12207.2, “Guide for ISO/IEC 12207,
Standard for Information Technology-Software life cycle processes-Implementation
considerations.”
This document provides an overview of the development tools for modifying Infor ERP SyteLine and guidelines for customizing and modifying the system. It describes the toolset used to work with the database, business objects, user interface, and other tiers. It also covers architectural best practices for extensions and changes to ensure compatibility with future upgrades. Additionally, it includes a chapter on external touch points for integrating with external systems and applications.
This document provides an operation plan for a new factory producing ski locks. It outlines the manufacturing process which will use batch production. Key aspects include:
- The manufacturing process involves 5 stages: preparation, bending/drilling, hardening, injection moulding, and assembly/testing.
- A total of 7 employees are needed, including a managing director, operations manager, and 5 production operators.
- Two components, a locking bar and retractable wire, will be outsourced to specialized suppliers to ensure quality and cost-effectiveness.
- Quality management procedures like testing and ISO certification are described to meet customer and business requirements.
- Environmental sustainability is also considered through material sourcing
The document outlines a 10-step process for building a test automation framework. It discusses factors that are important for successful test automation such as management commitment, budget, process, resources, and realistic expectations. The 10 steps include identifying test scope and types, requirements to automate, evaluating tools, designing the framework including reusable components and data storage, developing the framework, populating test data, and configuring schedulers. The framework is intended to provide benefits like standardization, independence from dependencies, complete test coverage, and support for future enhancements.
The Federal Risk Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for Cloud Service Providers (CSP). Testing security controls is an integral part of the FedRAMP security authorization requirements and enables Federal Agencies to use the findings that result from the tests to make risk-based decisions. Providing a plan for security control ensures that the process runs smoothly. This document, released originally in Template format, has been designed for CSP Third-Party Independent Assessors (3PAOs) to use for planning security testing of CSPs. Once filled out, this document constitutes a plan for testing. Actual findings from the tests are to be recorded in FedRAMP security test procedure workbooks and a Security Assessment Report (SAR).
The Federal Risk Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for Cloud Service Providers (CSP). Testing security controls is an integral part of the FedRAMP security authorization requirements and enables Federal Agencies to use the findings that result from the tests to make risk-based decisions. Providing a plan for security control ensures that the process runs smoothly. This document, released originally in Template format, has been designed for CSP Third-Party Independent Assessors (3PAOs) to use for planning security testing of CSPs. Once filled out, this document constitutes a plan for testing. Actual findings from the tests are to be recorded in FedRAMP security test procedure workbooks and a Security Assessment Report (SAR).
This technical white paper gives an overview of how GFI EventsManager works and discusses installation and deployment issues while enabling you to calculate the number of GFI EventsManager instances required on your network.
This document provides a roadmap for implementing a successful identity management project. It outlines conducting a needs analysis to identify problems with the existing user access administration. Key areas to examine include user productivity, excessive administration costs, inconsistent user data, user service issues, and security vulnerabilities. The roadmap then covers determining technology requirements, organizing the project team, selecting an identity management product, implementing the system through project management best practices, and ongoing administration and reporting after rollout.
Face recognition vendor test 2002 supplemental reportSungkwan Park
The document summarizes findings from the Face Recognition Vendor Test 2002 regarding face recognition performance. Key findings include:
1) Fusing scores from multiple images and systems significantly reduces verification error rates, with a fusion of three systems giving a 99.7% true match rate at a 1% false match rate.
2) Performance varies with factors like ethnicity, image quality, and discrepancies between enrolled and test images. Recognition is most accurate for Chinese faces and degrades with compression, low resolution, or pose differences.
3) Normalization techniques like z-normalization can boost performance, achieving full effectiveness with as few as 30 background images. Normalization works by setting user-specific thresholds.
Whitepaper Availability complete visibility service providerS. Hanau
The document discusses Veeam's solutions for providing service providers with availability and visibility into backup infrastructure. It describes the Veeam Backup & Replication Plug-in for LabTech which integrates with the LabTech RMM platform and provides dashboard views of backup jobs, infrastructure components, alerts and reports. It also discusses Veeam Endpoint Backup for LabTech which provides similar monitoring, reporting and remote management capabilities for physical endpoints backed up by Veeam Endpoint Backup.
The document provides guidelines for implementing a Reliability Improvement Process to continuously enhance reliability throughout an equipment's life cycle. It describes the equipment life cycle, which includes phases like design, production, and phase-out. It then introduces a five-step Reliability Improvement Process of setting goals, applying reliability activities, evaluating performance, comparing to goals, and identifying problems. The process aims to iteratively improve reliability by repeating these steps. It emphasizes applying reliability early in equipment development to most cost-effectively enhance reliability over the long term.
This planning guide provides an overview of SAP Business Suite system landscapes and recommendations for setup. It covers important terminology, the components that make up an SAP landscape, and methodology for planning landscapes based on business requirements and functions needed. The guide also discusses different landscape distribution scenarios and provides an example implementation.
The document discusses the software development life cycle (SDLC) process, which consists of 7 phases: 1) conceptual planning, 2) planning and requirements definition, 3) design, 4) development and testing, 5) implementation, 6) operations and maintenance, and 7) disposition. It provides descriptions of each phase, from initially identifying a need for a new system through maintaining the system once operational. The document also discusses data flow diagrams, their components, and the process for developing them to model the flow of data in a system. Finally, it includes a project proposal for developing a T-Card game programming project using the SDLC process.
This document provides guidance on planning and implementing SAP system landscapes. It defines important terminology used in landscape planning and discusses SAP's recommended approaches. The document introduces landscape building blocks and distribution scenarios to help readers understand how to design landscapes that meet business needs in a flexible, simple and structured way.
This section provides an overview of the different storage options available for VMware vSphere, including:
- VMFS datastores which use Fibre Channel, iSCSI, or FCoE LUNs to provide shared storage pools accessible by all ESX servers in a cluster.
- NFS datastores which allow concurrent access to virtual disks by all nodes in an ESX cluster through an enterprise NFS array like NetApp.
- Raw device mappings (RDM) which provide direct access for virtual machines to LUNs for specific use cases like P2V clustering or storage vendor tools.
The document discusses best practices for using these different options with NetApp storage arrays, focusing on the
This document provides guidance on conducting SAP license audits and measuring SAP systems for licensing purposes. It describes the process of classifying users, measuring engines, consolidating results, and transferring data to SAP. The document also defines various contractual user types and explains how to use the License Administration Workbench tool to combine measurement data.
This document will guide you through the entire life of a successful password management project, including:
• A needs analysis.
• Who to involve in the project.
• How to select the best product.
• Technical design decisions.
• How to effectively roll out the system.
• How to monitor and assure sound ROI.
Similar to Continuous monitoring strategy_guide_072712 (20)
TrustedAgent GRC for Vulnerability ManagementTuan Phan
This document discusses vulnerability management and introduces TrustedAgent as a comprehensive enterprise platform. It notes that managing vulnerabilities across thousands of devices and applications strains IT resources. TrustedAgent aims to integrate, standardize, and automate existing governance, risk, and compliance processes to improve security posture and meet various compliance requirements more efficiently. Key components include asset, risk, and compliance management along with continuous monitoring. It is demonstrated through importing scan results, prioritizing findings, and generating reports.
TrustedAgent GRC supports several initiatives within the Public Sector including FISMA, FedRAMP, cyber incident management, NIST SP 800-37 Rev 1., DIACAP and CNSSI-1253, and DIACAP to NIST RMF Migration. Additional TrustedAgent also streamlines activities related to DFARS 252.204-7012 and NIST 800-171.
TrustedAgent and Defense Industrial Base (DIB)Tuan Phan
TrustedAgent GRC supports several initiatives within the Defense Industrial Base (DIB) including cyber incident management, NIST SP 800-37 Rev 1., DIACAP and CNSSI-1253, and DIACAP to NIST RMF Migration. Additional TrustedAgent also streamlines activities related to DFARS 252.204-7012 and NIST 800-171.
TrustedAgent GRC streamlines the complexity of obtaining security authorization from FedRAMP for cloud IaaS, PaaS, and SaaS services and applications. From tracking evidence and key control implementation to create key deliverables like security plans and managing continuous monitoring for ongoing compliance. TrustedAgent significantly reduces the amount of work to be done manually including managing vulnerabilities from ongoing compliance. Download and contact us to learn more how TrustedAgent GRC can create opportunities for your cloud offerings in the Federal Government.
NIST Cybersecurity Framework is voluntary framework to support the emerging needs for having robust and effective cyber security practices across an enterprise. This presentation recaps the Framework 6 months into implementation and along with changes. Also, discusses the capabilities of TrustedAgent GRC to accelerate and strengthen the implementation of an effective cybersecurity program by automating or addressing many of the practices required by the framework.
Introduction to NIST Cybersecurity FrameworkTuan Phan
This document provides an introduction to the NIST Cybersecurity Framework. It discusses the goals and key parts of the Framework, including the Framework Core with its functions, categories and subcategories. It also covers the Framework Profile and Implementation Tiers. The document then demonstrates how Trusted Integration's software maps to the Framework and can be used to assess an organization's cybersecurity activities.
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterTuan Phan
Trusted Integration, Inc. is an Alexandria-based cybersecurity company founded in 2001 that focuses on creating adaptive and cost-effective governance, risk, and compliance solutions. The company received Golden Bridge awards in 2013 for its government compliance and governance, risk, and compliance solutions. The document then provides an overview of the NIST Cybersecurity Framework, including its goals to improve cybersecurity risk management, be flexible and repeatable, and focus on outcomes. It describes the framework's core, profiles, and implementation tiers and maps the framework to other standards like ISO 27001. [END SUMMARY]
The document provides guidance to cloud service providers and third-party assessment organizations on understanding and navigating FedRAMP's security assessment process. FedRAMP supports the US government's mandate that federal information systems comply with the Federal Information Security Management Act. The guidance covers applicable laws and standards, an overview of the FedRAMP process, guidelines for third-party assessors and cloud service providers, and general documentation information.
Building an Effective GRC Process with TrustedAgent GRCTuan Phan
Organizations can leverage TrustedAgent GRC to implement, sustain, and accelerate the implementation of governance, risk management, and compliance (GRC) for their enterprise. This brief describes the elements of an effective GRC process and how TrustedAgent GRC can cost-effectively assist organizations in their implementation.
The Federal Information Security Amendments Act of 2013 (H.R. 1163) reforms FISMA in several key ways:
1) It extends cybersecurity responsibilities to agency heads and requires each agency to designate a Chief Information Security Officer (CISO).
2) It allows agencies to use automated technologies to conduct cyber threat assessments and support incident response.
3) It establishes an OMB-overseen Federal incident response center to assist agencies in handling cyber incidents.
This document provides guidance for cloud service providers and third-party assessment organizations going through the FedRAMP security assessment process. It explains the FedRAMP program and process, outlines templates and documents required at different stages, and provides examples and guidance for describing system components, boundaries, use cases, and security controls in the required documents. The goal is to help organizations efficiently complete the FedRAMP assessment.
March 18 _2013_fed_ramp_agency_compliance_and_implementation_workshop.finalTuan Phan
The document summarizes an agency workshop on FedRAMP compliance and implementation. It includes an agenda for the workshop covering topics such as FedRAMP responsibilities and compliance, implementation planning and assessment phases, and ongoing assessment and authorization. Key players in FedRAMP like the JAB, agencies, cloud service providers, and independent assessors have defined responsibilities. Agencies can leverage existing FedRAMP authorizations by reviewing security assessment documentation in the FedRAMP repository.
Getting started on fed ramp sec auth for cspTuan Phan
This document provides an overview of the Federal Risk and Authorization Management Program (FedRAMP) security authorization process for cloud service providers. It describes the initial steps CSPs must complete, including defining the security authorization boundary and responsibilities. It also outlines the documentation required, such as the system security plan, and reviews security controls that must be addressed. The goal is to help CSPs understand FedRAMP requirements and produce the necessary documentation for assessment and authorization.
The document discusses developing a System Security Plan (SSP) for the Federal Risk and Authorization Management Program (FedRAMP). The SSP is a detailed document that describes how security controls have been implemented based on NIST SP 800-53. It provides an overview of the system, identifies responsible personnel, and delineates control responsibilities. Developing a thorough SSP can streamline the FedRAMP assessment process. The SSP template is lengthy at 352 pages to fully document the system and control implementation.
The document provides an overview of the FedRAMP program, which aims to standardize how federal agencies assess and authorize the use of cloud services. It establishes a "do once, use many times" framework to reduce duplication of security assessments. Key elements include the Joint Authorization Board which reviews CSP security packages and can grant provisional authorization, and third-party assessment organizations which validate CSP compliance. The document outlines the roles and processes involved in FedRAMP assessments and authorization for cloud service providers and federal agencies.
This document summarizes the FedRAMP security assessment and authorization process from testing through package submission. It outlines preparing for and completing security testing with a third-party assessment organization, finalizing the security assessment report and plan of action and milestones, and compiling all required documentation into an authorization package to submit for provisional authorization. The goal of FedRAMP is to provide a standardized approach to assessing, authorizing, and monitoring the security of cloud products and services for the federal government.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfMalak Abu Hammad
Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers:
* What is Vector Search?
* Importance and benefits of vector search
* Practical use cases across various industries
* Step-by-step implementation guide
* Live demos with code snippets
* Enhancing LLM capabilities with vector search
* Best practices and optimization strategies
Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications.
#MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
2. Continuous Monitoring Strategy & Guide
Executive Summary
The OMB memorandum M-10-15, issued on April 21, 2010, changed from static point in
time security authorization processes to Ongoing Assessment and Authorization
throughout the system development life cycle. Consistent with this new direction favored
by OMB and supported in NIST guidelines, FedRAMP has developed an ongoing
assessment and authorization program for the purpose of reauthorizing Cloud Service
Providers (CSP) annually.
After a system receives a FedRAMP Provisional Authorization, it is possible that the
security posture of the system could change over time due to changes in the hardware or
software on the cloud service offering, or also due to the discovery and provocation of
new exploits. Ongoing assessment and authorization provides federal agencies using
cloud services a method of detecting changes to the security posture of a system for the
purpose of making risk-based decisions.
This guide describes the FedRAMP strategy for CSPs to use once they have received a
FedRAMP Provisional Authorization. CSPs must continuously monitor their cloud
service offering to detect changes in the security posture of the system to enable well-
informed risk-based decision making. This guide instructs CSPs on the FedRAMP
strategy to continuously monitor their systems.
Page 2
3. Continuous Monitoring Strategy & Guide
Document Revision History
Pages and/or
Date Section #s Description Author
6/14/2012 All Version 1.0 FedRAMP Office
7/27/2012 §5 Added IA-5g, AC-2(2), AC-2(3), IA-4e, SI-6, IA-4d FedRAMP Office
Page 3
4. Continuous Monitoring Strategy & Guide
Table of Contents
About this document .....................................................................................................................................................7
Who should use this document? .....................................................................................................................7
How this document is organized .....................................................................................................................7
Conventions used in this document ................................................................................................................7
How to contact us............................................................................................................................................8
1. Overview...........................................................................................................................................................9
2.1 Purpose of This Document ..................................................................................................................9
2.2 Continuous Monitoring Process ........................................................................................................10
2. Continuous Monitoring Roles & Responsibilities............................................................................................11
2.1 FedRAMP Office Role.........................................................................................................................11
2.2 DHS Role ............................................................................................................................................12
2.3 Agency Role .......................................................................................................................................12
3. Operational Visibility ......................................................................................................................................13
4. Change Control ...............................................................................................................................................13
5. Control Frequencies & Self-Attestation ..........................................................................................................14
6. Annual Self-Attestation ...................................................................................................................................26
6.1 Self-Attestation: Incident Reporting ..................................................................................................26
6.2 Self-Attestation: Incident Response Test Report ...............................................................................26
6.3 Self-Attestation: POA&M Update ......................................................................................................27
6.4 Self-Attestation: Vulnerability Scan Reports ......................................................................................27
6.5 Self-Attestation: Unnannounced Penetration Testing .......................................................................27
6.6 Self-Attestation: Update System Security Plan ..................................................................................28
6.7 Self-Attestation: IT Contingency Planning & Testing..........................................................................28
6.8 Self-Attestation: IT Security Awareness Training Record ...................................................................29
7. Assistance with Incident Response .................................................................................................................29
7.1 Preparing for Incidents ......................................................................................................................29
7.2 How CSPs Report Incidents................................................................................................................29
7.3 How Agencies Report Incidents .........................................................................................................30
7.4 Incident Handling ..............................................................................................................................30
Page 4
5. Continuous Monitoring Strategy & Guide
List of Tables
Table 4-1. Summary of Continuous Monitoring Activities & Deliverables ...................................................................15
Page 5
6. Continuous Monitoring Strategy & Guide
List of Figures
Figure 1. Ongoing Assessment and Authorization Process Areas ................................................................................10
Figure 2. NIST Special Publication 800-137 Continuous Monitoring Process ..............................................................11
Page 6
7. Continuous Monitoring Strategy & Guide
ABOUT THIS DOCUMENT
This document has been developed to provide guidance on continuous monitoring and ongoing
authorization in support of maintaining a FedRAMP. This document is not a FedRAMP template
-- there is nothing to fill out in this document.
Who should use this document?
This document is intended to be used by Cloud Service Providers (CSPs), Third Party Assessor
Organizations (3PAOs), government contractors working on FedRAMP projects, and
government employees working on FedRAMP projects. This document may also prove useful
for other organizations that are developing their continuous monitoring program.
How this document is organized
This document is divided into seven sections. Most sections include subsections.
Section 1 provides an overview of the continuous monitoring process.
Section 2 describes roles and responsibilities for stakeholders other than CSPs.
Section 3 describes how operational visibility into the CSP security control implementation
supports continuous monitoring.
Section 4 describes the change control process.
Section 5 describes security control frequencies.
Section 6 describes self-attestation deliverables.
Section 7 describes an overview of incident response expectations.
Conventions used in this document
This document uses various typographical conventions.
Italic
Italics are used for email addresses, security control assignments parameters, and formal
document names.
Italic blue in a box
Italic blue text in a blue box indicates instructions to the individual filling out the template.
Instruction: This is an instruction to the individual filling out of the template.
Bold
Bold text indicates a parameter or an additional requirement.
Page 7
8. Continuous Monitoring Strategy & Guide
Constant width
Constant width text is used for text that is representative of characters that would show up on
a computer screen.
<Brackets>
Bold blue text in brackets indicates text that should be replaced with user-defined values. Once
the text has been replaced, the brackets should be removed.
Notes
Notes are found between parallel lines and include additional information that may be helpful
to the users of this template.
Note: This is a note.
Sans Serif
Sans Serif text is used for tables, table captions, figure captions, and table of contents.
How to contact us
If you have questions about FedRAMP or something in this document, please write to:
info@fedramp.gov
For more information about the FedRAMP project, please see the website at:
http://www.fedramp.gov.
Page 8
9. Continuous Monitoring Strategy & Guide
1. OVERVIEW
Within the FedRAMP Concept of Operations (CONOPS), once an authorization has been
granted, the CSP’s security posture is monitored according to the assessment and authorization
process illustrated in Figure 1. Monitoring security controls is part of the overall risk
management framework for information security and is a requirement for CSPs to maintain their
FedRAMP Provisional Authorization.
Traditionally, this process has been referred to as “Continuous Monitoring” as noted in NIST SP
800-137 Information Security Continuous Monitoring for Federal Information Systems and
Organizations. Other NIST documents such as NIST SP 800-37, Revision 1 refer to “ongoing
assessment of security controls”. It is important to note that both the terms “Continuous
Monitoring” and “Ongoing Security Assessments” mean essentially the same thing and should be
interpreted as such.
Performing ongoing security assessments determines whether the set of deployed security
controls in an information system remains effective in light of new exploits and attacks, and
planned and unplanned changes that occur in the system and its environment over time. To
receive reauthorization of a FedRAMP Provisional Authorization from year to year, CSPs must
monitor their security controls, assess them on a regular basis, and demonstrate that the security
posture of their service offering is continuously acceptable.
Ongoing assessment of security controls results in greater transparency into the security posture
of the CSP system and enables timely risk-management decisions. Security-related information
collected through continuous monitoring is used to make recurring updates to the security
assessment package. Ongoing due diligence and review of security controls enables the security
authorization package to remain current which allows agencies to make informed risk
management decisions as they use cloud services.
2.1 Purpose of This Document
This document is intended to provide CSPs with guidance and instructions on how to implement
their continuous monitoring program. Certain deliverables and artifacts related to continuous
monitoring that FedRAMP requires from CSP’s are discussed in this document. Additionally,
CSPs will find this document useful in understanding how to fill out the annual Self-Attestation
template required by FedRAMP.
Page 9
10. Continuous Monitoring Strategy & Guide
Figure 1. Ongoing Assessment and Authorization Process Areas
2.2 Continuous Monitoring Process
The FedRAMP continuous monitoring program is based on the continuous monitoring process
described in NIST SP 800-137, Information Security Continuous Monitoring for Federal
Information Systems and Organization. A goal is to provide: (i) operational visibility; (ii) annual
self-attestations on security control implementations; (iii) managed change control; (iv) and
attendance to incident response duties.
The effectiveness of a CSP’s continuous monitoring capability supports ongoing authorization
and reauthorization decisions. Security-related information collected during continuous
monitoring is used to make updates to the security authorization package. The updated
documents provide evidence that FedRAMP baseline security controls continue to safeguard the
system as originally planned.
As defined by the National Institute of Standards and Technology (NIST) the process for
continuous monitoring includes the following initiatives:
Define a continuous monitoring strategy based on risk tolerance that maintains clear
visibility into assets and awareness of vulnerabilities and utilizes up-to-date threat
information.
Page 10
11. Continuous Monitoring Strategy & Guide
Establish measures, metrics, and status monitoring and control assessments frequencies
that make known organizational security status and detect changes to information system
infrastructure and environments of operation, and status of security control effectiveness
in a manner that supports continued operation within acceptable risk tolerances.
Implement a continuous monitoring program to collect the data required for the defined
measures and report on findings; automate collection, analysis and reporting of data
where possible.
Analyze the data gathered and Report findings accompanied by recommendations. It
may become necessary to collect additional information to clarify or supplement existing
monitoring data.
Respond to assessment findings by making decisions to either mitigate technical,
management and operational vulnerabilities; or accept the risk; or transfer it to another
authority.
Review and Update the monitoring program, revising the continuous monitoring strategy
and maturing measurement capabilities to increase visibility into assets and awareness of
vulnerabilities; further enhance data driven control of the security of an organization’s
information infrastructure; and increase organizational flexibility.
Figure 2. NIST Special Publication 800-137 Continuous Monitoring Process
Security control assessments performed periodically validate whether stated security controls are
implemented correctly, operating as intended, and meet FedRAMP baseline security controls.
Security status reporting provides federal officials with information necessary to make risk-based
decisions and provides assurance to existing customer agencies regarding the security posture of
the system.
2. CONTINUOUS MONITORING ROLES & RESPONSIBILITIES
2.1 FedRAMP Office Role
The FedRAMP Program Management Office (PMO) serves as the focal point for coordination of
continuous monitoring activities for all stakeholders. Each CSP is assigned an Information
Page 11
12. Continuous Monitoring Strategy & Guide
Systems Security Officer (ISSO) by the FedRAMP PMO. CSPs send security control artifacts to
their ISSO at various points in time. The ISSOs monitors both the Plan of Action & Milestones
(POA&M) and any significant changes and reporting artifacts (such as vulnerability scan reports)
associated with the CSP service offering. ISSOs provide the Joint Authorization Board (JAB)
with updated information on the system so that risk-based decisions can be made about ongoing
authorization.
2.2 DHS Role
The FedRAMP Policy Memo released by OMB defines the DHS FedRAMP responsibilities to
include:
Assisting government-wide and agency-specific efforts to provide adequate, risk-based
and cost-effective cybersecurity
Coordinating cybersecurity operations and incident response and providing appropriate
assistance
Developing continuous monitoring standards for ongoing cybersecurity of Federal
information systems to include real-time monitoring and continuously verified operating
configurations
Developing guidance on agency implementation of the Trusted Internet Connection (TIC)
program with cloud services.
The FedRAMP PMO works with DHS to incorporate their guidance into the FedRAMP program
guidance and documents.
2.3 Agency Role
Leveraging agencies should review the artifacts provided through the FedRAMP continuous
monitoring process to ensure that the risk posture of the CSP falls within agency tolerance.
Additionally, agency customers must perform the following tasks in support of CSP continuous
monitoring:
Provide a POC for CSPs to communicate with
Notify US-CERT when a CSP reports an incident
Work with CSPs to resolve incidents by providing coordination with US-CERT
Notify CSPs if the Agency becomes aware of an incident that a CSP has not yet reported
Monitor security controls that are agency responsibilities
Notify ISSOs if a CSP has reported an incident.
During incident response, both CSPs and leveraging agencies are responsible for coordinating
incident handling activities together, and with US-CERT. The team based approach to incident
handling ensures that all parties are informed and enables incidents to be closed as quickly as
possible.
Page 12
13. Continuous Monitoring Strategy & Guide
3. OPERATIONAL VISIBILITY
An important aspect of a CSP’s continuous monitoring program is to provide evidence that
demonstrate the efficacy of their program. At various intervals, evidentiary information is
provided to FedRAMP and consuming agencies in the form of artifacts after the FedRAMP
Provisional Authorization is granted. The submission of these deliverables and artifacts allows
FedRAMP and agency authorizing officials to evaluate the risk posture of the CSP’s service
offering. Key deliverables are required at the time of annual Self-Attestation. Table 4-1 notes
which deliverables are required as part of the annual Self-Attestation and also includes other
required continuous monitoring activities. FedRAMP provides a separate Self-Attestation
template for CSPs that must be submitted annually one year from the date of the Provisional
Authorization and each year therafter.
4. CHANGE CONTROL
Systems are dynamic and FedRAMP anticipates that all systems are in a constant state of change.
Configuration management and change control processes help maintain a secure baseline
configuration of the CSP’s architecture. Routine day-to-day changes are managed through the
CSP’s change management process described in their Configuration Management Plan.
However, before a planned significant change takes place, CSP’s must perform a Security Impact
Analysis to determine if the change will adversely affect the security of the system. The Security
Impact Analysis is a standard part of a CSP’s change control process as described in the CSP’s
Configuration Management Plan.
CSPs must notify the ISSO of any planned significant changes. The notification of the planned
significant change must take place prior to the implementation of the significant change. The
ISSO will send the CSP a Significant Change Security Impact Analysis Form which will need to
be filled out and returned to the ISSO. The planned change will be reviewed by the ISSO and
then forwarded to the JAB for approval. All plans for significant changes should include
rationale for making the change, and plans for testing the change prior to moving it to the
production system.
If any anticipated change either adds residual risk, changes a leveraging agency’s security
posture, or creates other risk exposure that the JAB finds unacceptable, the Provisional
Authorization could be revoked if the change is made without prior approval. A goal is for CSPs
to make planned changes in a controlled manner so that the security posture of the system is not
decreased.
Within 30 days of significant change occurring, the CSP must submit a new Security Assessment
Report to the ISSO based on a fresh security assessment performed by a 3PAO. Additionally, the
CSP will need to submit an updated security assessment package that contains updated
documentation and artifacts pertaining to the newly implemented changes.
FedRAMP will notify leveraging agencies when a significant change is planned, and when a
significant change has occurred. Upon notification that a significant change is planned, customer
Page 13
14. Continuous Monitoring Strategy & Guide
agencies should inform FedRAMP if they believe the planned changes will adversely affect the
security of their information. After an approved change has occurred, customer agencies should
review the change artifacts to familiarize themselves with the implementation details.
5. CONTROL FREQUENCIES & SELF-ATTESTATION
Security controls have different frequencies for performance and review, and some controls
require review more often than others. Table 4-1 summarizes the frequencies required for the
different continuous monitoring activities. Some continuous monitoring activities require that the
CSP submits a deliverable to their FedRAMP ISSO. Other continuous monitoring activities do
not require a deliverable, and will be reviewed by 3PAOs during security assessments. CSPs
must be able to demonstrate to 3PAOs that ongoing continuous monitoring activities are in place,
and have been occurring as represented in the System Security Plan. For example, if a CSP has
indicated in their System Security Plan that they monitor unsuccessful login attempts on an
ongoing basis, the 3PAO may ask to see log files, along with the CSP analysis of the log files, for
random dates over the course of the prior 3-6 months.
In Table 4-1, refer to the Description column for information about what is required and when it
is required to be submitted. A checkmark in the 4th column of Table 4-1 indicates that a
deliverable is required. In some cases, the deliverable is a component of the annual Self-
Attestation.
If an ISSO becomes concerned about the security posture of the CSP system, the ISSO may ask
for a security artifact at any point in time. For example, if a CSP indicates in their System
Security Plan that they actively monitor information system connections, the ISSO could ask the
CSP to send them log file snippets for a particular connection at any point in time. If it becomes
known that an entity that a CSP has interconnections to has been compromised by an
unauthorized user, the ISSO may have legitimate reasons to check in on the interconnection
monitoring of the CSP. CSPs should anticipate that aside from annual continuous monitoring
deliverables, and aside from testing performed by 3PAOs, that the FedRAMP ISSO may request
certain system artifacts on an ad hoc basis if there are concerns.
CSPs are required to attest to the ongoing implementation of their security controls on an annual
basis. Certain deliverables are required at the time of the annual Self-Attestation. Deliverables
that are required for the annual Self-Attestation are indicated in the Notes column in Table 4-1.
These same deliverables are further described in Section 6 of this document. FedRAMP provides
a separate Self-Attestation template to help organize these deliverables. Section 6 of this
document provides guidance on how to fill out the Self-Attestation template.
When managing continuous monitoring activities, it can be helpful to set up a schedule and an
annual information security calendar to plan these activities in advance.
Page 14
15. Continuous Monitoring Strategy & Guide
Table 4-1. Summary of Continuous Monitoring Activities & Deliverables
CSP 3PAO
Control Name Control ID Description Authored Authored Notes
Deliverable Deliverable
Continuous and Ongoing
Remote Control AC-17(5) CSPs must monitor for unauthorized remote
connections continuously and take actions
appropriate actions if unauthorized
connections are discovered.
Auditable Events AU-2d Certain events must be continuously
monitored: successful and unsuccessful
account logon events, account management
events, object access, policy change,
privilege functions, process tracking, and
system events. For Web applications: all
administrator activity, authentication
checks, authorization checks, data
deletions, data access, data changes, and
permission changes.
Information System CA-3c CSPs must actively monitor information Verify the enforcement of security
Connections system connections at all times. requirements. This control is particularly
important for interconnections to other
systems and is typically performed on
VPNs, switches, routers, firewalls etc..
Information System CM-8(3)a CSPs must be able to detect new assets This activity should be automated.
Component Inventory continuously (with a 5 minute delay in
detection).
Incident Reporting IR-6 CSPs should notify customer agencies, and Self-Attestation § 3.1
the ISSO, of new incidents as they are
discovered. CSPs should fill out Incident
Report Forms as needed.
Page 15
16. Continuous Monitoring Strategy & Guide
CSP 3PAO
Control Name Control ID Description Authored Authored Notes
Deliverable Deliverable
Temperature & Humidity PE-14(b) CSPs must monitor temperature and Please refer to ASHRAE Thermal
Controls humidity controls continuously. Guidelines for Data Processing
Environments.
Vulnerability Scanning RA-5(2) CSPs must update the list of vulnerabilities This means that before you run a scan,
scanned continuously, before each scan. you should update the signatures to use
the most current version(s) available.
Weekly
Audit Review, Analysis, & AU-6a CSPs must reviews and analyzes information Report findings of inappropriate or
Reporting system audit records for indications of unusual activity to incident response
inappropriate or unusual activity. team.
Monthly
Vulnerability Scanning RA-5d CSPs should mitigate all discovered high-risk
vulnerabilities within 30 days. CSPs should
send their ISSO updated artifacts every 30
days to show evidence that outstanding
high-risk vulnerabilities have been
mitigated.
Continuous Monitoring CA-7d CSPs must report the security state of the
Security State system to their own organizational officials
on a monthly basis.
Access Records PE-8b CSPs must review visitor access records
monthly.
Vulnerability Scanning RA-5a CSPs must scan operating
systems/infrastructure monthly. All scan
reports must be sent to the ISSO.
Page 16
17. Continuous Monitoring Strategy & Guide
CSP 3PAO
Control Name Control ID Description Authored Authored Notes
Deliverable Deliverable
Flaw Remediation SI-2(2) CSPs should use an automated mechanism Examples of programs that look for
to look for system flaws at least once a system flaws could include program
month. that: i) inspect log files looking for
variances in normal behavior; ii) look for
missing patches; iii) look for errors that
indicate software bugs; iv) look for
processing errors; v) look for indications
for intrusions; vi) look for malware; vii)
look for access control violations or
attempted violations etc..
Software & Information SI-7(1) CSPs must perform integrity scans monthly.
Integrity
60 Days
Authenticator Change/refresh authenticators at least
IA-5g
Management every sixty days.
Quarterly (90 Days)
Automatic termination of temporary and
Account Management AC-2(2)
emergency accounts after 90 days.
Identifier Management AC-2(3) Disables user IDs after 90 days inactivity.
Wireless Access AC-18(2) CSPs must monitor for unauthorized Scan wireless access points and
Restrictions wireless connections. determine if any are unauthorized.
Publicly Accessible AC-22d CSPs must review content on publicly This means you are looking for data
Content accessible system and look for non-public leaks and erroneous or unauthorized
information. information disclosure.
Plan of Action & CA-5 CSPs must update the POA&M as needed, Self-Attestation § 3.3
Milestones and must submit it to the ISSO quarterly.
Updates should be based on the findings
from security assessments, security
impact analyses, CSP risk assessments,
continuous monitoring activities and any
other indications of a security weakness.
Page 17
18. Continuous Monitoring Strategy & Guide
CSP 3PAO
Control Name Control ID Description Authored Authored Notes
Deliverable Deliverable
Access Restrictions for CM-5(5)b CSPs must review and reevaluate their
Change information system developer/integrator
privileges quarterly. Record the date of the
review in the System Security Plan.
Least Functionality CM-7(1) CSPs must review the information system
quarterly to identify and eliminate
unnecessary functions, ports, protocols,
and/or services. If ports, protocols, and/or
services are changed, Table 10-4 in the
System Security Plan should be updated at
the time of change. Changes should be
made according to the CSP change
management process that is described in
the Configuration Management Plan.
Identifier Management IA-4e Disables user IDs after 90 days of inactivity.
Vulnerability Scanning RA-5a CSPs must scan web applications and
databases quarterly. All scan reports should
be sent to the ISSO.
Vulnerability Scanning RA-5d CSPs must mitigate all moderate-risk
vulnerabilities within 90 days and must send
their ISSO artifacts every 90 days to show
evidence that outstanding moderate-risk
vulnerabilities have been mitigated.
Security Functionality System verifies correct operation of security
SI-6
Verification functions.
Semi-Annually
Monitoring Physical PE-6b CSPs must review physical access logs semi- Self-Attestation § 3.10
Access annually. Record the dates of review in the
System Security Plan.
Page 18
19. Continuous Monitoring Strategy & Guide
CSP 3PAO
Control Name Control ID Description Authored Authored Notes
Deliverable Deliverable
Annually
Information Security All “-1” CSPs must review Information Security Self-Attestation §3.12
Policies Controls Policies and Procedures annually. Insert the
updated Policy document as an Attachment All control families have “-1” controls
to the System Security Plan and submit the (e.g. AC-1, SC-1).
updated plan to the ISSO one year from the
Provisional Authorization date and each
year thereafter.
Account Management AC-2j CSPs must perform an annual review and re- It is advisable to develop and document
certification of user accounts to verify if the the annual user re-certification process
account holder requires continued access to and plan.
the system. Record the date of annual user
re-certification in the System Security Plan.
Security Awareness AT-2 CSPs must provide basic security awareness Self-Attestation § 3.7
training to all users annually. Record the
date that security awareness training last Security awareness training should
took place in the System Security Plan. include contractors, executives, and
anyone who has access to the system.
Auditable Events AU-2(3) CSPs must review and update auditable This activity should also be performed
events annually. Changes to the auditable whenever there is a change in the threat
event list should be recorded in the System environment whether self-detected, or
Security Plan. CSPs should record the date communicated by the JAB (via the ISSO).
that the auditable event review meeting
takes place in the System Security Plan.
Meeting notes with information about who
attended the meeting should be archived.
Page 19
20. Continuous Monitoring Strategy & Guide
CSP 3PAO
Control Name Control ID Description Authored Authored Notes
Deliverable Deliverable
Security Assessments CA-2b CSPs must have a 3PAO assess a subset of Self-Attestation §3.11
their security controls annually. Submit the
assessment report to the ISSO one year Consult with the ISSO to obtain
from the Provisional Authorization date and information on which controls to assess
each year thereafter. during annual testing.
Deliverables produced by 3PAOs are
always separate from deliverables
produced by CSPs.
Continuous Monitoring CA-7(2) CSPs must track, assess, and monitor their
compliance with all vulnerability mitigation
procedures annually. Record the date of the
review in the System Security Plan.
Continuous Monitoring CA-7(2) CSPs must require unannounced Self-Attestation §3.8
penetration testing to occur annually to
ensure compliance with all vulnerability Deliverables produced by 3PAOs are
mitigation procedures. All penetration always separate from deliverables
testing reports must be sent to the ISSO. produced by CSPs.
Baseline Configuration CM-2(1)a CSPs must review and update the baseline This activity should also be performed
and System Component configuration annually or during whenever there is a significant change
Inventory installations and updates. Changes and to the system.
updates to the baseline configuration
should be made in accordance with the
change control process described in the
CSP’s Configuration Management Plan.
Page 20
21. Continuous Monitoring Strategy & Guide
CSP 3PAO
Control Name Control ID Description Authored Authored Notes
Deliverable Deliverable
Configuration CM-9 CSPs must review and update the Self-Attestation § 3.9
Management Plan Configuration Management Plan annually.
Submit the new plan to the ISSO at the time
of annual Self-Attestation one year from the
Provisional Authorization date (and each
year thereafter).
IT Contingency Plan CP-2d CSPs must review and update the IT Self-Attestation § 3.6
Contingency Plan annually. Submit the new
plan to the ISSO at the time of annual Self-
Attestation one year from the Provisional
Authorization date (and each year
thereafter).
IT Contingency Training CP-3 CSPs must train personnel in their
contingency roles and responsibilities
annually. Record the date of the training in
the System Security Plan.
IT Contingency Plan CP-4a CSPs must test and exercise the IT Self-Attestation § 3.6
Testing & Exercises Contingency Plan (for Moderate systems)
(Moderate Systems) every year. Insert a new IT Contingency Plan Moderate systems require functional
Test Report into Appendix F of the IT testing and exercises.
Contingency Plan (which is submitted
annually).
Information System CP-9(1) CSPs must test backups annually to verify
Backup integrity and reliability. When the System
Security Plan is updated annually, this
control description should indicate when
(date) the last test took place and who
performed the testing.
Page 21
22. Continuous Monitoring Strategy & Guide
CSP 3PAO
Control Name Control ID Description Authored Authored Notes
Deliverable Deliverable
Incident Response IR-2b CSPs must conduct incident response
Training training annually. When the System Security
Plan is updated annually, this control
description should indicate when training
took place, training materials, who
participated, and who conducted the
training.
Incident Response IR-3 CSPs must perform incident response Self-Attestation § 3.2
Testing testing annually. When the System Security
Plan is updated annually, record the results Test all contact information in the
of the incident response testing directly in Appendices of the Incident Response
the control description box indicating when Plan to make it is accurate.
testing took place, testing materials, who
participated, and who conducted the
testing.
Incident Response Plan IR-8c CSPs must review the Incident Response Self-Attestation § 3.2
Plan annually and update it if necessary.
Insert the updated Incident Response Plan
as an attachment to the System Security
Plan.
Physical Access PE-2c CSPs must review physical access Self-Attestation § 3.10
Authorizations authorization credentials annually and
remove personnel from the access list who
no longer require access. The date at which
this review takes place, and who performed
it, should be recorded in the System Security
Plan.
Physical Access Control PE-3f CSPs must inventory physical access devices Self-Attestation § 3.10
annually. The date of the inventory should
be recorded in the System Security Plan.
Page 22
23. Continuous Monitoring Strategy & Guide
CSP 3PAO
Control Name Control ID Description Authored Authored Notes
Deliverable Deliverable
Physical Access Control PE-3g CSPs must change combinations and keys Self-Attestation § 3.10
annually. The date that the keys and
combinations are changed should be This activity should also be performed
recorded in the System Security Plan along when keys are lost, combinations are
with the name of the person responsible for compromised, or individuals are
making the changes. transferred or terminated.
System Security Plan PL-2b, c CSPs must review and update the System Self-Attestation § 3.5
Security Plan annually. Submit the new plan
to the ISSO at the time of the annual Self- Table 9-1 in the System Security Plan
Attestation one year from the Provisional must be updated.
Authorization date (and each year
thereafter).
Access Agreements PS-6b CSPs must review and update access A good time to do this is during the
agreements annually. The date of the access annual user re-certification (AC-2j).
agreement review should be recorded in
the System Security Plan.
Vulnerability Scan RA-5a CSPs must have an accredited 3PAO scan Deliverables produced by 3PAOs are
operating systems/infrastructure, web always separate from deliverables
applications, and databases annually. All produced by CSPs.
scan reports must be sent to the ISSO.
Boundary Protection SC-7(4)e CSPs must remove traffic flow that is no Table 1-4 in the System Security Plan
longer supported by a business/mission should be updated to reflect any
need. Changes and updates to traffic flow changes.
should be made in accordance with the
change control process described in the
CSP’s Configuration Management Plan.
Every Two Years
Prevent reuse of user and device identifiers
Identifier Management IA-4d
every two years.
Every Three Years
Page 23
24. Continuous Monitoring Strategy & Guide
CSP 3PAO
Control Name Control ID Description Authored Authored Notes
Deliverable Deliverable
Security Training AT-3b CSPs must provide role-based security Role-based security training is typically
training every three years. The date that the for privileged users.
training took place, along with who
provided the training, should be recorded In
the System Security Plan.
Security Training Records AT-4b CSPs must archive security training records
for three years. In the System Security Plan,
record who participated in training and
when the training took place. Archive the
actual training materials.
Security Authorization CA-6c The security authorization will be re- This activity should also be performed
evaluated by the JAB at least every three whenever there is a significant change
years. CSPs should record the date of the to the system.
Provisional Authorization, and any
reauthorization, in the System Security Plan.
IT Contingency Plan CP-4a CSPs should test and exercise the IT Self-Attestation § 3.6
Testing & Exercises (Low Contingency Plan (for Low systems) every
Systems) three years. Record the testing date in the
System Security Plan and submit the test
results with the annual Self-Attestation.
Position Categorization PS-2c CSPs should review position categorizations
every three years. Record the date that
position categorization was completed in
the System Security Plan.
Risk Assessment RA-3c, d CSPs should review and update security This activity should also be performed
assessments every three years and record whenever there is a significant change
the date of the last security assessment in to the system.
the System Security Plan.
Page 24
25. Continuous Monitoring Strategy & Guide
CSP 3PAO
Control Name Control ID Description Authored Authored Notes
Deliverable Deliverable
Every Five Years
Personnel Screening PS-3b Law enforcement must undergo personnel High impact personnel screening is not
screening every 5 years. Any law required at this time because FedRAMP
enforcement staff screened should have the is not supporting high impact sensitive
screening date recorded in the System systems at this time.
Security Plan along with their name.
Page 25
26. Continuous Monitoring Strategy & Guide
6. ANNUAL SELF-ATTESTATION
Delivery of continuous monitoring artifacts must be provided by the CSP as part of the annual
self-attestation process. FedRAMP has developed a Self-Attestation Template and CSPs must fill
out this template and provide named artifacts prior to reauthorization.
An effective continuous monitoring program requires periodic review of security policies,
planning activities, and security procedures and processes. The review and update of these areas
are built into various document templates such as the System Security Plan, and therefore, they
are not called out as separate self-attestation deliverables.
The following sections describe the deliverables named in the FedRAMP Self-Attestation
Template and provide instructions and background information on each deliverable.
6.1 Self-Attestation: Incident Reporting
As incidents occur and are reported, CSPs should maintain records on who the incident was
reported to and when the incident was reported. Further, as part of their Incident Handling
activities, CSPs should conduct an in-house incident investigation, perform analysis on the
incident, determine the cause, eradicate any intruders or malware, and implement preventive
measures. The Self-Attestation Template requires CSPs to include a summary of reported
incidents. CSPs should fill out the summary table based on their own incident records.
6.2 Self-Attestation: Incident Response Test Report
It is important for CSPs to periodically test their Incident Response Plan to identify the
effectiveness of the plan and any potential weaknesses or deficiencies that need to be corrected.
FedRAMP security control IR-3 requires that CSPs test their Incident Response Plan annually.
For systems that have achieved a FedRAMP Provisional Authorization, test plans should be
submitted prior to testing to the FedRAMP ISSO for review and approval by the JAB.
The CSP should describe what aspects of the test they intend to measure, whether the plan will
represent a tabletop exercise, a simulation, or a comprehensive exercise. The CSP should use the
results of this test to perform modifications to existing security procedures, technology
implementations, and training of staff. It is expected that deficiencies noted from the tests may
appear as planned actions for resolution on the CSP’s Plan of Action & Milestones. Each test
should look for weaknesses identified in prior testing to ensure that those weaknesses were
properly corrected.
Once incident response testing has been completed, the CSP should develop a report that
includes the outcome and results of the testing. Deficiencies in the incident response process,
controls, implementation or documentation should be cited in the report. The date of the test, the
Page 26
27. Continuous Monitoring Strategy & Guide
participants, and the test location should all be noted in the report. Tasks related to these
deficiencies that have been added to the POA&M should be noted. The report, identified as the
annual Incident Response Test Report should be attached to the Self-Attestation.
6.3 Self-Attestation: POA&M Update
The Plan of Action & Milestones (POA&M) document serves as a high-level work plan to
correct weaknesses in the CSP’s security implementation. The POA&M identifies and lists
weaknesses discovered through security assessments, annual continuous monitoring activities, or
any other method. FedRAMP provides a POA&M template for CSPs which is available on
www.FedRAMP.gov.
FedRAMP security control CA-5 requires CSPs to update their POA&Ms on a quarterly basis.
Updated POA&Ms need to be submitted quarterly to the system ISSO. During the annual Self-
Attestation, only the most recent POA&M should be submitted. The ISSO reviews POA&Ms for
unacceptable risk exposure. Unresolved POA&M items and elevated risk posture presented by
new vulnerabilities are escalated to the JAB by the ISSO by as necessary.
6.4 Self-Attestation: Vulnerability Scan Reports
CSPs are required to scan infrastructure and operating systems monthly, and web applications
and databases quarterly, in accordance with the FedRAMP Security Control Baseline (RA-5a).
Scans should also be performed after a significant environmental or system change to identify
any vulnerability exposed as a result of the change. These scans are intended to inform the CSP
of known vulnerabilities in their service offering that are susceptible to exploits to the detriment
of agency data. Findings that are identified from the vulnerability scanning should be categorized
and included on the POA&M. Remediation plans should be subsequently implemented.
Scans can also be run to identify policy compliance. Different systems may require different
scanning tools to identify vulnerabilities. Scanning tools should be selected for the particular
component within the CSP’s environment that will be scanned. Not all scanners have the ability
to perform vulnerability detection for all components. Scanners are typically designed to test
particular system components such as networking equipment, operating systems, application
servers, web servers, web applications, and database servers. Select the right scanner for the job.
FedRAMP does not offer recommendations on which scanners to use.
All scan reports must be submitted to the designated FedRAMP ISSO. Both 3PAOs and ISSOs
will review the scan reports against the declared asset inventory to ensure compliance with the
RA-5a control. CSPs will be required to update the POA&M and submit the new POA&M to the
ISSO (a quarterly requirement). ISSOs will review the results of the scans against the POA&M,
and will make recommendations to the JAB regarding the ongoing Provisional Authorization.
6.5 Self-Attestation: Unnannounced Penetration Testing
Page 27
28. Continuous Monitoring Strategy & Guide
At a minimum of once annually, CSPs must require that their 3PAO performs unannounced
penetration testing. 3PAOs should use the SAP and SAR templates for the annual unnannounced
penetration testing.
6.6 Self-Attestation: Update System Security Plan
CSPs must review and update their System Security Plan (SSP) annually. Additionally, in the
event of significant change within the security authorization boundary or in a control
implementation, the SSP should be reviewed and updated. The plan must be kept current and
accurately describe implemented system controls and reflects change to the system and its
environment of operation. This review and update of the SSP is designed to allow for a CSP to
holistically review the control implementations and update the policy and procedures to ensure
an effective security program. The updates should consider as many data points as possible in the
review, but at a minimum should include the following:
Updated POA&M items and remediation steps
Changes in implementation as a result of Incident Response Testing
Updates to hardware and software used in the system
Results of annual penetration testing
Results of vulnerability scanning
And other risk assessment activities.
During this update, certain controls must be reviewed and updated as identified in the FedRAMP
security control baseline. These updates are designed to make sure that the information
represented by the CSP is current and up to date. Table 4 in section 5.4 includes a list of those
controls. In addition to updating the controls within the SSP, evidentiary artifacts should be
provided showing compliance with the control. The updated SSP will be submitted to the
FedRAMP office annually.
6.7 Self-Attestation: IT Contingency Planning & Testing
On an annual basis, the Contingency Plan must be reviewed and updated to reflect current
operating conditions within the CSP’s infrastructure. The Contingency Plan must be tested in
accordance with the appropriate impact level identified in the FedRAMP Security Baseline. At
the low impact level, contingency plans must be tested once every three years and may be tested
through tabletop exercises. At the moderate impact level, contingency plans must be tested
annually through a functional exercise.
CSPs must develop their test plans and have those test plans approved by FedRAMP prior to
execution. Test plans should be developed in accordance with NIST SP 800-84 (as amended).
FedRAMP will review these test plans in accordance to determine if the availability of the
system and organization during a contingent event can be gauged as a result of the exercise.
Upon approval of the test plan, the CSP can then conduct the exercise. The exercise results
should be provided in a test report. Weaknesses or deficiencies identified through the test should
Page 28
29. Continuous Monitoring Strategy & Guide
be added to the POA&M and appropriate steps and countermeasures implemented to mitigate or
remediate each weakness or deficiency. The testing and reports should be prepared in accordance
with NIST SP 800-84.
6.8 Self-Attestation: IT Security Awareness Training Record
CSPs are expected to provide ongoing IT security and awareness training to personnel servicing
the system. This training should be designed to provide general awareness of common threats to
IT security, to address CSP specific concerns and policies to create a vigilant workforce. Best
practices include periodic testing and retraining on areas of focus of the CSP’s workforce.
To measure the consistency of this training program, a CSP is required to provide training
records on an annual basis. These training records identify the personnel that have been trained,
the dates they were trained and the subject areas that training covered. This information is used
by FedRAMP to understand the awareness of the personnel of the CSP.
7. ASSISTANCE WITH INCIDENT RESPONSE
The shared tenant architecture of cloud services implies that a single incident may impact
multiple federal agencies leveraging the cloud services. It is a FedRAMP requirement that CSPs
obtain assistance with incidents from their customer agencies and from US-CERT. Obtaining
assistance starts with reporting incidents. Working as a team, agencies, CSPs, and US-CERT are
positioned to handle and resolve incidents faster than if each entity worked on incidents alone.
7.1 Preparing for Incidents
It is a requirement for all CSPs to develop an Incident Reponses Plan. The Incident Response
Plan is required by security control IR-8 and the plan needs to be reviewed and updated
annually. CSPs should include in the Incident Response Plan a list of three key contacts that
customer agencies can call upon for the purpose of incident response coordination. One of the
contacts should include a 24 x 7 operations center at the CSP that is always reachable. Aside
from the three key contacts, contact information for all incident response team members should
be included in an Appendix of the Incident Response Plan.
CSPs should attach their updated Incident Response Plan to their System Security Plan prior to
sending the System Security Plan to the ISSO during the annual self-attestation.
7.2 How CSPs Report Incidents
When a CSP detects an incident, it should be reported to affected customer agencies based on the
categorization of the incident. The incident categories and reporting times are described in NIST
SP 800-61, Revision 1, Appendix J. Only incidents that fall into categories 1 through 4 should be
reported.
Page 29
30. Continuous Monitoring Strategy & Guide
NIST SP 800-61, Revision 1, Computer Security Incident Handling Guide
Note: can be found at the following URL:
http://csrc.nist.gov/publications/nistpubs/800-61-rev1/SP800-61rev1.pdf.
All incidents need to be documented and tracked as required by security control IR-5. If CSPs
have reported the incident to affected customer agencies, and have not yet been contacted by US-
CERT and require immediate assistance, the CSP should contact US-CERT directly using the
online reporting form at https://forms.us-cert.gov/report/. At the same time that the CSP reports
incidents to agency customers, the CSP should also report the incident to their FedRAMP
assigned ISSO.
7.3 How Agencies Report Incidents
When a CSP reports an incident to an affected agency, the agency will escalate incidents to
US-CERT according to the agency’s own respective Incident Response Plan instructions. If an
agency discovers an incident that has not been reported to them by the CSP, the agency should
contact the CSP using the incident contact information provided in the CSP’s Incident Response
Plan.
Agencies should offer to coordinate assistance between US-CERT and CSPs when CSPs report
incidents to agencies. If a CSP reports an incident to an agency, and the agency escalates the
incident to US-CERT, the agency should forward to US-CERT the Incident Reporting Form that
was filled out by the CSP.
7.4 Incident Handling
Security control IR-4 requires CSPs to employ incident handling techniques and processes. CSP
incident handling capabilities required by this control should be documented in the Incident
Response Plan. Though CSPs should be fully capable to handle incidents, in coordination with
their customer agencies, CSPs may also obtain additional assistance from US-CERT.
Page 30