The organization will develop, disseminate, and review: 1) a formal monitoring thoroughness standard that address purpose, scope, and compliance; and 2) formal procedures to facilitate implementing the policy. [UCF ID 00641]
Supporting and supported controls
This control directly supports:
• Operationalizing key monitoring and logging concepts [UCF Control ID 00638]
This control has the following supporting controls:
There are no supporting controls.
Authority documents complied with:
BIS Sound Practices for the Management and Supervision of Operational Risk ¶ 28; FFIEC IT Examination Handbook – Information Security Pg 95; FFIEC IT Examination Handbook – Operations Pg 24, Exam Tier I Obj 2.3; The Standard of Good Practice for Information Security SM7.1.2(c ), SM7.1.2(d), CI5.5.4(d), SD2.3.4(d); ISO 17799:2005 Code of Practice for Information Security Management § 10.10.2; ISO/IEC 27002-2005 Code of practice for information security management § 10.10.2; Guide for Assessing the Security Controls in Federal Information Systems, NIST 800-53A § SI-4; VISA E-Commerce Merchants Guide to Risk Management Pg. 54; Sarbanes-Oxley Act (SOX) § 104(c ); PCAOB Auditing Standard No. 2 § 13; GAO Financial Audit Manual 420. 05
Sarbanes Oxley Guidance
§ 104(c ) of Sarbanes-Oxley Act (SOX) states that during the inspection, the inspectors must identify any practices and/or omissions that violate the Sarbanes-Oxley Act or violate the rules of the Commission, the organization's quality control policies, and/or professional standards; report any practices or violations to the appropriate authority; and begin formal investigations or take disciplinary action, as appropriate.
P. 3 of Implementation Guide for OMB Circular A-123 Management’s Responsibility for Internal Control states that the organization's management should develop activities for montoring the system to ensure it is meeting the objectives of the organization.
Banking and Finance Guidance
The FFIEC IT Examination Handbook – Operations Pg 24, Exam Tier I Obj 2.3 states that database administrators should monitor the performance of the database for changes in normal activities.
Credit Card Guidance
The VISA E-Commerce Merchants Guide to Risk Management Pg. 54 states that when monitoring the transactions and authorizations, the organization should check for identical transaction amounts; multiple transactions from the same Internet Protocol (IP) address; multiple transactions on a single card over a short period of time; transactions on similar account numbers; unusually high volumes; and transactions not using Card Verification Value 2 (CVV2) or Address Verification Service (AVS) for authentication, if the organization uses these methods..
International Standards Organization Guidance
The ISO/IEC 27002-2005 Code of practice for information security management § 10.10.2 states that some areas that should be monitored include authorized accesses; privileged operations; unauthorized access attempts; system alerts; and changes to system security settings.
The ISO 17799:2005 Code of Practice for Information Security Management § 10.10.2 states that some areas that should be monitored include authorized accesses; privileged operations; unauthorized access attempts; system alerts; and changes to system security settings.
Metrics
The metrics associated with this control are as follows:
• Metric Reporting Standard 02102.doc