| Control | Status | |
|---|---|---|
| Continuous Monitoring | Mechanisms exist to facilitate the implementation of enterprise-wide monitoring controls. | |
| Intrusion Detection & Prevention Systems (IDS & IPS) | Mechanisms exist to implement Intrusion Detection / Prevention Systems (IDS / IPS) technologies on critical systems, key network segments and network choke points. | |
| Automated Tools for Real-Time Analysis | Mechanisms exist to utilize a Security Incident Event Manager (SIEM), or similar automated tool, to support near real-time analysis and incident escalation. | |
| Inbound & Outbound Communications Traffic | Mechanisms exist to continuously monitor inbound and outbound communications traffic for unusual or unauthorized activities or conditions. | |
| System Generated Alerts | Mechanisms exist to generate, monitor, correlate and respond to alerts from physical, cybersecurity, data privacy and supply chain activities to achieve integrated situational awareness. | |
| Wireless Intrusion Detection System (WIDS) | Mechanisms exist to utilize Wireless Intrusion Detection / Protection Systems (WIDS / WIPS) to identify rogue wireless devices and to detect attack attempts via wireless networks. | |
| Host-Based Devices | Mechanisms exist to utilize Host-based Intrusion Detection / Prevention Systems (HIDS / HIPS) to actively alert on or block unwanted activities and send logs to a Security Incident Event Manager (SIEM), or similar automated tool, to maintain situational awareness. | |
| File Integrity Monitoring (FIM) | Mechanisms exist to utilize a File Integrity Monitor (FIM), or similar change-detection technology, on critical assets to generate alerts for unauthorized modifications. | |
| Security Event Monitoring | Mechanisms exist to review event logs on an ongoing basis and escalate incidents in accordance with established timelines and procedures. | |
| Deactivated Account Activity | Mechanisms exist to monitor deactivated accounts for attempted usage. | |
| Automated Alerts | Mechanisms exist to automatically alert incident response personnel to inappropriate or anomalous activities that have potential security incident implications. | |
| Alert Threshold Tuning | Mechanisms exist to "tune" event monitoring technologies through analyzing communications traffic/event patterns and developing profiles representing common traffic patterns and/or events. | |
| Privileged User Oversight | Mechanisms exist to implement enhanced activity monitoring for privileged users. | |
| Centralized Collection of Security Event Logs | Mechanisms exist to utilize a Security Incident Event Manager (SIEM), or similar automated tool, to support the centralized collection of security-related event logs. | |
| Correlate Monitoring Information | Automated mechanisms exist to correlate both technical and non-technical information from across the enterprise by a Security Incident Event Manager (SIEM) or similar automated tool, to enhance organization-wide situational awareness. | |
| Central Review & Analysis | Automated mechanisms exist to centrally collect, review and analyze audit records from multiple sources. | |
| Integration of Scanning & Other Monitoring Information | Automated mechanisms exist to integrate the analysis of audit records with analysis of vulnerability scanners, network performance, system monitoring and other sources to further enhance the ability to identify inappropriate or unusual activity. | |
| System-Wide / Time-Correlated Audit Trail | Automated mechanisms exist to compile audit records into an organization-wide audit trail that is time-correlated. | |
| Content of Event Logs | Mechanisms exist to configure systems to produce event logs that contain sufficient information to, at a minimum: (1) Establish what type of event occurred; (2) When (date and time) the event occurred; (3) Where the event occurred; (4) The source of the event; (5) The outcome (success or failure) of the event; and (6) The identity of any user/subject associated with the event. | |
| Sensitive Audit Information | Mechanisms exist to protect sensitive/regulated data contained in log files. | |
| Audit Trails | Mechanisms exist to link system access to individual users or service accounts. | |
| Privileged Functions Logging | Mechanisms exist to log and review the actions of users and/or services with elevated privileges. | |
| Verbosity Logging for Boundary Devices | Mechanisms exist to verbosely log all traffic (both allowed and blocked) arriving at network boundary devices, including firewalls, Intrusion Detection / Prevention Systems (IDS/IPS) and inbound and outbound proxies. | |
| Event Log Storage Capacity | Mechanisms exist to allocate and proactively manage sufficient event log storage capacity to reduce the likelihood of such capacity being exceeded. | |
| Response To Event Log Processing Failures | Mechanisms exist to alert appropriate personnel in the event of a log processing failure and take actions to remedy the disruption. | |
| Monitoring Reporting | Mechanisms exist to provide an event log report generation capability to aid in detecting and assessing anomalous activities. | |
| Query Parameter Audits of Personal Data (PD) | Mechanisms exist to provide and implement the capability for auditing the parameters of user query events for data sets containing Personal Data (PD). | |
| Time Stamps | Mechanisms exist to configure systems to use an authoritative time source to generate time stamps for event logs. | |
| Synchronization With Authoritative Time Source | Mechanisms exist to synchronize internal system clocks with an authoritative time source. | |
| Protection of Event Logs | Mechanisms exist to protect event logs and audit tools from unauthorized access, modification and deletion. | |
| Event Log Backup on Separate Physical Systems / Components | Mechanisms exist to back up event logs onto a physically different system or system component than the Security Incident Event Manager (SIEM) or similar automated tool. | |
| Access by Subset of Privileged Users | Mechanisms exist to restrict access to the management of event logs to privileged users with a specific business need. | |
| Event Log Retention | Mechanisms exist to retain event logs for a time period consistent with records retention requirements to provide support for after-the-fact investigations of security incidents and to meet statutory, regulatory and contractual retention requirements. | |
| Monitoring For Information Disclosure | Mechanisms exist to monitor for evidence of unauthorized exfiltration or disclosure of non-public information. | |
| Monitoring for Indicators of Compromise (IOC) | Automated mechanisms exist to identify and alert on Indicators of Compromise (IoC). | |
| Anomalous Behavior | Mechanisms exist to detect and respond to anomalous behavior that could indicate account compromise or other malicious activities. | |
| Insider Threats | Mechanisms exist to monitor internal personnel activity for potential security incidents. | |
| Third-Party Threats | Mechanisms exist to monitor third-party personnel activity for potential security incidents. | |
| Unauthorized Activities | Mechanisms exist to monitor for unauthorized activities, accounts, connections, devices and software. | |
| Account Creation and Modification Logging | Automated mechanisms exist to generate event logs for permissions changes to privileged accounts and/or groups. |