This Control directly supports the implied Control(s):
Establish, implement, and maintain a testing program., CC ID: 00654
This Control has the following implementation support Control(s):
Scan the network for wireless access points., CC ID: 00370
Implement incident response procedures when rogue devices are discovered., CC ID: 11880
Alert appropriate personnel when rogue devices are discovered on the network., CC ID: 06428
Deny network access to rogue devices until network access approval has been received., CC ID: 11852
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
Check that there is no unauthorized device connected in the building. (P4.1. ¶ 3(1), FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
A few other aspects that also needs to be considered include appropriate blocking, filtering and monitoring of electronic mechanisms like e-mail and printing and monitoring for unauthorised software and hardware like password cracking software, key loggers, wireless access points, etc. (Critical components of information security 15) x., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
Banks should regularly scan for unauthorized or misconfigured wireless infrastructure devices, using techniques such as "war driving" to identify access points and clients accepting peer-to-peer connections. Such unauthorized or misconfigured devices should be removed from the network, or have their… (Critical components of information security 28) x., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
The FI should implement network access controls to detect and prevent unauthorised devices from connecting to its network. (§ 11.2.4, Technology Risk Management Guidelines, January 2021)
Intrusion prevention/intrusion detection systems (IDS/IPS) are integrated into an overall SIEM system (security information and event management) so that events from IDS/IPS can be correlated with other events in order to be able to initiate the required safeguards (countermeasures) resulting from t… (Section 5.9 KOS-01 Description of additional requirements (confidentiality and availability) ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
Controls should be in place to detect modem scanning attempts on your system. (§ IV.21, OECD / World Bank Technology Risk Checklist, Version 7.3)
Does the organization periodically war-dial its telephone number range to check for new devices? (Table Row IV.19, OECD / World Bank Technology Risk Checklist, Version 7.3)
Does the organization check for signs of rogue tunnels? (Table Row VII.25, OECD / World Bank Technology Risk Checklist, Version 7.3)
Does the organization use network sniffers to evaluate network protocols along with the source and destination of various protocols for stealth port scanning and hacking activity? (Table Row X.7, OECD / World Bank Technology Risk Checklist, Version 7.3)
Does the organization perform routine checks to find rogue access points? (Table Row XIII.18, OECD / World Bank Technology Risk Checklist, Version 7.3)
The organization should periodically test the WLAN for the presence of unauthorized or rogue bridges, stations, and/or access points. Organizations that do not have a WLAN should also perform wireless screenings periodically. (§ 2.2 (2.2.150), The Center for Internet Security Wireless Networking Benchmark, 1)
Test for Unauthorized Access Points (3.2, Information Supplement: PCI DSS Wireless Guidelines, Version 2.0)
Combine manual physical and/or logical inspections of systems and network infrastructure with automated network monitoring and/or scanning, as appropriate. (3.2.4 C, Information Supplement: PCI DSS Wireless Guidelines, Version 2.0)
An organization must require explicit management approval to use wireless networks in the Cardholder Data Environment (CDE). Any unsanctioned wireless must be removed from CDE. (§ 4.6.1.A, Payment Card Industry (PCI) Information Supplement: PCI DSS Wireless Guideline)
System / network monitoring activities should involve discovering the existence of unauthorised systems (e.g., by using network discovery and mapping tools). (CF.10.05.05d, The Standard of Good Practice for Information Security)
System / network monitoring activities should involve discovering the existence of unauthorised systems (e.g., by using network discovery and mapping tools). (CF.10.05.05d, The Standard of Good Practice for Information Security, 2013)
Limit use of external devices to those with an approved, documented business need. Monitor for use and attempted use of external devices. Configure laptops, workstations, and servers so that they will not auto-run content from removable media, like USB tokens (i.e., âthumb drivesâ), USB hard dri… (Control 8.3, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
The organization should use active tools and passive tools to scan and analyze the network and its traffic. (Critical Control 1.1, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
The system must identify all new unauthorized listening network ports inside of 24 hours of being connected to the network and send a notification out to a list of enterprise personnel. In the future, the organization should strive for more rapid alerting. (Control 11 Metric, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
Perform regular scans from outside each trusted network boundary to detect any unauthorized connections which are accessible across the boundary. (CIS Control 12: Sub-Control 12.2 Scan for Unauthorized Connections across Trusted Network Boundaries, CIS Controls, 7.1)
Perform regular scans from outside each trusted network boundary to detect any unauthorized connections which are accessible across the boundary. (CIS Control 12: Sub-Control 12.2 Scan for Unauthorized Connections across Trusted Network Boundaries, CIS Controls, V7)
Use a passive discovery tool to identify assets connected to the enterprise's network. Review and use scans to update the enterprise's asset inventory at least weekly, or more frequently. (CIS Control 1: Safeguard 1.5 Use a Passive Asset Discovery Tool, CIS Controls, V8)
Procedures are in place to detect the introduction of unknown or unauthorized components. (CC7.1 ¶ 2 Bullet 4 Detects Unknown or Unauthorized Components, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus â 2022))
Detection measures are designed to identify anomalies that could result from actual or attempted (1) compromise of physical barriers; (2) unauthorized actions of authorized personnel; (3) use of compromised identification and authentication credentials; (4) unauthorized access from outside the syste… (CC7.2 ¶ 2 Bullet 2 Designs Detection Measures, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus â 2022))
Monitoring for unauthorized personnel, connections, devices, and software is performed. (DE.CM-7, CRI Profile, v1.2)
Employs automated mechanisms [Assignment: organization-defined frequency] to detect the presence of unauthorized hardware, software, and firmware components within the information system; and (CM-8(3)(a), StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
Employs automated mechanisms [Assignment: organization-defined frequency] to detect the presence of unauthorized hardware, software, and firmware components within the information system; and (CM-8(3)(a), StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
The information system detects network services that have not been authorized or approved by [Assignment: organization-defined authorization or approval processes] and [Selection (one or more): audits; alerts [Assignment: organization-defined personnel or roles]]. (SI-4(22) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
Procedures are in place to detect the introduction of unknown or unauthorized components. (CC7.1 Detects Unknown or Unauthorized Components, Trust Services Criteria)
Detection measures are designed to identify anomalies that could result from actual or attempted (1) compromise of physical barriers; (2) unauthorized actions of authorized personnel; (3) use of compromised identification and authentication credentials; (4) unauthorized access from outside the syste… (CC7.2 Designs Detection Measures, Trust Services Criteria)
Procedures are in place to detect the introduction of unknown or unauthorized components. (CC7.1 ¶ 2 Bullet 4 Detects Unknown or Unauthorized Components, Trust Services Criteria, (includes March 2020 updates))
Detection measures are designed to identify anomalies that could result from actual or attempted (1) compromise of physical barriers; (2) unauthorized actions of authorized personnel; (3) use of compromised identification and authentication credentials; (4) unauthorized access from outside the syste… (CC7.2 ¶ 2 Bullet 2 Designs Detection Measures, Trust Services Criteria, (includes March 2020 updates))
Is approval required prior to connecting any Digital Subscriber Line phone lines to a desktop or other Access Point directly connected to the company-managed network? (§ G.11.19, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
The organization must implement an automated method to examine a sample of network systems for the availability of unnecessary network services. This must be accomplished at least weekly and on demand. A complete review must be conducted at least monthly and on demand. (CSR 1.13.10, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
The Information Assurance Officer, to discover undocumented network connections, will inspect the network semi-annually. (§ 3.2.2 (MED0020: CAT II), Medical Devices Security Technical Implementation Guide, Version 1, Release 1)
Examine the ssa (system security architecture) to ensure that the iatc (interim approval to connect) and/or atc (approval to connect) exists. (EBCR-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
Asks federal agencies to consider installing systems that continuously check for unauthorized connections to their networks. (Pg 47, The National Strategy to Secure Cyberspace, February 2003)
Has processes to monitor, identify, and remove shadow IT that can be evaluated by internal audit. (App A Objective 4:5f, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
Considers the use of IT detection tools to monitor for and identify shadow IT. (App A Objective 4:5c, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
Includes considerations for avoiding the potential for shadow IT and the capability to monitor and alert for its use. (App A Objective 12:4d, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
Identifies unauthorized technology assets and determines their disposition. (App A Objective 13:2a, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
Establishes IT governance practices and security controls for shadow IT, including policies, standards, and procedures. (App A Objective 4:5a, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
Considers appropriate methods to address shadow IT, including: (App A Objective 4:5e, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
Determine whether management understands and communicates the risks of shadow IT to entity personnel. Additionally, determine whether internal audit evaluates management's processes to monitor, identify, and remove unapproved devices, software, or services. Assess whether management performs the fol… (App A Objective 4:5, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
Processes to prevent and detect unknown or unapproved technology (called shadow IT). (III.B Action Summary ¶ 2 Bullet 4, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
Development of appropriate design objectives, including changes, EOL, and identification of shadow IT. (IV Action Summary ¶ 2 Bullet 4, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
Employs automated mechanisms [FedRAMP Assignment: Continuously, using automated mechanisms with a maximum five-minute delay in detection.] to detect the presence of unauthorized hardware, software, and firmware components within the information system; and (CM-8(3)(a) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
The information system detects network services that have not been authorized or approved by [Assignment: organization-defined authorization or approval processes] and [Selection (one or more): audits; alerts [Assignment: organization-defined personnel or roles]]. (SI-4(22) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
Employs automated mechanisms [FedRAMP Assignment: Continuously, using automated mechanisms with a maximum five-minute delay in detection.] to detect the presence of unauthorized hardware, software, and firmware components within the information system; and (CM-8(3)(a) Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
Detect network services that have not been authorized or approved by [Assignment: organization-defined authorization or approval processes]; and (SI-4(22)(a), FedRAMP Security Controls High Baseline, Version 5)
[Selection (one or more): Audit; Alert [Assignment: organization-defined personnel or roles]] when detected. (SI-4(22)(b), FedRAMP Security Controls High Baseline, Version 5)
Detect the presence of unauthorized hardware, software, and firmware components within the system using [FedRAMP Assignment: automated mechanisms with a maximum five-minute delay in detection.] [FedRAMP Assignment: continuously]; and (CM-8(3)(a), FedRAMP Security Controls High Baseline, Version 5)
Detect the presence of unauthorized hardware, software, and firmware components within the system using [FedRAMP Assignment: automated mechanisms with a maximum five-minute delay in detection.] [FedRAMP Assignment: continuously]; and (CM-8(3)(a), FedRAMP Security Controls Moderate Baseline, Version 5)
Detect the presence of unauthorized hardware, software, and firmware components within the system using [Assignment: organization-defined automated mechanisms] [Assignment: organization-defined frequency]; and (CM-8(3)(a), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
[Selection (one or more): Audit; Alert [Assignment: organization-defined personnel or roles]] when detected. (SI-4(22)(b), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
Detect network services that have not been authorized or approved by [Assignment: organization-defined authorization or approval processes]; and (SI-4(22)(a), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
Detect the presence of unauthorized hardware, software, and firmware components within the system using [Assignment: organization-defined automated mechanisms] [Assignment: organization-defined frequency]; and (CM-8(3)(a), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
Calls for Access Control (AC): Organizations must limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems) and to the types of transactions and functions that authorized users are permitted to exercise. (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
Monitoring for unauthorized personnel, connections, devices, and software is performed (DE.CM-7, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
Monitoring for unauthorized personnel, connections, devices, and software is performed (DE.CM-7, Framework for Improving Critical Infrastructure Cybersecurity, v1.1 (Draft))
Test the system by connecting unauthorized portable and mobile devices to the system and ensure the unauthorized devices are detected and identified by the organization's personnel. (AC-19.4, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
Employs automated mechanisms [Assignment: organization-defined frequency] to detect the presence of unauthorized hardware, software, and firmware components within the information system; and (CM-8(3) ¶ 1(a) High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
Employs automated mechanisms [Assignment: organization-defined frequency] to detect the presence of unauthorized hardware, software, and firmware components within the information system; and (CM-8(3) ¶ 1(a) Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
The organization should use wireless sniffers and other tools to periodically check for rogue access points (APs) and unauthorized access. (§ 6.1(WLAN security assessments), Guide to Securing Legacy IEEE 802.11 Wireless Networks, NIST SP 800-48, Revision 1)
Detect exploits against targeted networks and hosts and react accordingly. (T0644, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Perform or support technical network analysis and mapping. (T0850, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Conduct nodal analysis. (T0617, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
The organization must monitor the smart grid Information System for unauthorized connections from mobile devices. (SG.AC-17 Requirement 3, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The organization should automated mechanisms to detect, on a predefined frequency, the addition of unauthorized components or devices to the system. (App F § CM-8(3)(a), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
The organization should protect from unauthorized physical connections across boundary protections by implementing an organization-defined list of managed interfaces. (App F § SC-7(14), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
Detect exploits against targeted networks and hosts and react accordingly. (T0644, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
Conduct nodal analysis. (T0617, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
Perform or support technical network analysis and mapping. (T0850, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
The organization employs automated mechanisms {organizationally documented frequency} to detect the presence of unauthorized hardware, software, and firmware components within the information system. (CM-8(3)(a), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
The organization employs automated mechanisms {organizationally documented frequency} to detect the presence of unauthorized hardware, software, and firmware components within the information system. (CM-8(3)(a), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
The organization employs automated mechanisms {organizationally documented frequency} to detect the presence of unauthorized hardware, software, and firmware components within the information system. (CM-8(3)(a), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
Employs automated mechanisms [Assignment: organization-defined frequency] to detect the presence of unauthorized hardware, software, and firmware components within the information system; and (CM-8(3)(a), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
Employs automated mechanisms [Assignment: organization-defined frequency] to detect the presence of unauthorized hardware, software, and firmware components within the information system; and (CM-8(3)(a), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
The information system detects network services that have not been authorized or approved by [Assignment: organization-defined authorization or approval processes] and [Selection (one or more): audits; alerts [Assignment: organization-defined personnel or roles]]. (SI-4(22) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
Employs automated mechanisms [Assignment: organization-defined frequency] to detect the presence of unauthorized hardware, software, and firmware components within the information system; and (CM-8(3)(a), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
Detect the presence of unauthorized hardware, software, and firmware components within the system using [Assignment: organization-defined automated mechanisms] [Assignment: organization-defined frequency]; and (CM-8(3)(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Detect network services that have not been authorized or approved by [Assignment: organization-defined authorization or approval processes]; and (SI-4(22)(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
[Selection (one or more): Audit; Alert [Assignment: organization-defined personnel or roles]] when detected. (SI-4(22)(b), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Detect the presence of unauthorized hardware, software, and firmware components within the system using [Assignment: organization-defined automated mechanisms] [Assignment: organization-defined frequency]; and (CM-8(3)(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
Detect network services that have not been authorized or approved by [Assignment: organization-defined authorization or approval processes]; and (SI-4(22)(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
[Selection (one or more): Audit; Alert [Assignment: organization-defined personnel or roles]] when detected. (SI-4(22)(b), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
Employs automated mechanisms [TX-RAMP Assignment: Continuously, using automated mechanisms with a maximum five-minute delay in detection] to detect the presence of unauthorized hardware, software, and firmware components within the information system; and (CM-8(3)(a), TX-RAMP Security Controls Baseline Level 2)
