Continuous Monitoring Program

The continuous monitoring program lets NICE CXone track the security of the CXone system. It is based on the following process: NIST SP 800-137, Information Security Continuous Monitoring for Federal Information Systems and Organizations. The goal of this program is to provide the following:

  • Operational visibility.

  • Annual reports on security control implementations.

  • Change control.

  • Attendance to Incident Response duties.

For this program, NICE CXone collects security-related information to protect the system. The program includes the following steps:

  1. NICE CXone will define a continuous monitoring strategy based on risk tolerance. This strategy maintains that NICE CXone will:

    1. Have visibility into how assets are handled.

    2. Be aware of weaknesses within the system.

    3. Have current threat information.

  2. NICE CXone will establish:

    1. Measures.

    2. Metrics.

    3. Status monitoring.

    4. Assessments that:

      • Show the status and effectiveness of the organization's security.

      • Detect changes to system infrastructure and environments of operations.

  3. NICE CXone will implement a program to:

    1. Collect the data required for the defined measures.

    2. Report on findings.

    3. Automate the collection, analysis, and reporting of data where possible.

  4. NICE CXone will analyze the gathered data from the previous steps in the program.

  5. NICE CXone will report on their findings along with recommendations to improve the program. If necessary, they will collect more information to clarify or add to existing data.

  6. NICE CXone will respond to assessment findings by:

    • Mitigating technical, management, and operational vulnerabilities.

    • Accepting the risk.

    • Transferring the assessment to another authority.

  7. Finally, NICE CXone will review and update the monitoring program by:

    1. Revising strategy.

    2. Improving measurement capabilities.

    3. Increasing visibility into assets, awareness of vulnerabilities, and organizational flexibility.

    4. Enhancing data-driven control of CXone infrastructure.

Periodic assessments confirm whether security controls are:

  • Implemented correctly.

  • Operating as intended.

  • Meeting baselines.

Reporting provides federal officials with necessary information. This allows them to:

  • Make risk-based decisions.

  • Provide you with assurance about the system's security.

The ISO 27001 security management standard requires frequent audits.