Monitoring thoroughness

Status: Live

The organization will develop, disseminate, and review: 1) a formal monitoring thoroughness standard that address purpose, scope, and compliance; and 2) formal procedures to facilitate implementing the policy. [UCF ID 00641]

Supporting and supported controls

This control directly supports:

There are no supporting controls.

Authority documents complied with:

The Sarbanes-Oxley Act of 2002, § 104(c); FFIEC IT Examination Handbook – Information Security, Pg 95; FFIEC IT Examination Handbook – Operations, July 2004, Pg 24, Exam Tier I Obj 2.3; VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Business, Pg 54; GAO/PCIE Financial Audit Manual (FAM), § 420.05; Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, SI-4; The Standard of Good Practice for Information Security, SM7.1.2(c), SM7.1.2(d), CI5.5.4(d), SD2.3.4(d); ISO 17799:2005 Code of Practice for Information Security Management, § 10.10.2; ISO/IEC 27002-2005 Code of practice for information security management, § 10.10.2; Implementation Guide for OMB Circular A-123 Management’s Responsibility for Internal Control, Pg 3; Archer Control Table, ATCS-669

Sarbanes Oxley Guidance

During the inspection, the inspectors must identify any practices and/or omissions that violate the Sarbanes-Oxley Act or violate the rules of the Commission, the organization's quality control policies, and/or professional standards; report any practices or violations to the appropriate authority; and begin formal investigations or take disciplinary action, as appropriate. [§ 104(c), The Sarbanes-Oxley Act of 2002]

The organization's management should develop activities for monitoring the system to ensure it is meeting the objectives of the organization. [Pg 3, Implementation Guide for OMB Circular A-123 Management’s Responsibility for Internal Control]

Banking and Finance Guidance

[Pg 95, FFIEC IT Examination Handbook – Information Security]

Database administrators should monitor the performance of the database for changes in normal activities. [Pg 24, Exam Tier I Obj 2.3, FFIEC IT Examination Handbook – Operations, July 2004]

Payment Card Guidance

When monitoring the transactions and authorizations, the organization should check for identical transaction amounts; multiple transactions from the same Internet Protocol (IP) address; multiple transactions on a single card over a short period of time; transactions on similar account numbers; unusually high volumes; and transactions not using Card Verification Value 2 (CVV2) or Address Verification Service (AVS) for authentication, if the organization uses these methods. [Pg 54, VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Business]

US Federal Security Guidance

[§ 420.05, GAO/PCIE Financial Audit Manual (FAM)]

NIST Guidance

Organizational records and documents should be examined to ensure monitoring tools and techniques, including those for intrusion detection, network forensics, malicious code, and log monitoring, have been implemented and to ensure specific responsibilities and actions have been defined for the implementation of the information system monitoring tools and techniques control. Any problems discovered during the implementation of the information system monitoring tools and techniques control should be documented and used to improve the controls.
Interviews should be conducted with personnel involved in monitoring the system to ensure a monitoring system is implemented and that the organization is staffed appropriately to monitor the system in accordance with the policy. [SI-4, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]

ISO Guidance

Some areas that should be monitored include authorized accesses; privileged operations; unauthorized access attempts; system alerts; and changes to system security settings. [§ 10.10.2, ISO 17799:2005 Code of Practice for Information Security Management]

Some areas that should be monitored include authorized accesses; privileged operations; unauthorized access attempts; system alerts; and changes to system security settings. [§ 10.10.2, ISO/IEC 27002-2005 Code of practice for information security management]

General Guidance

The security audit should be thoroughly conducted to ensure all security controls are effective. [SM7.1.2(c), SM7.1.2(d), CI5.5.4(d), SD2.3.4(d), The Standard of Good Practice for Information Security]

Metrics

The metrics associated with this control are as follows:

    Report on the percentage of systems for which event and activity logging has been implemented in accordance with policy [UCF Control ID 02102]

Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.