Back

Establish, implement, and maintain intrusion management operations.


CONTROL ID
00580
CONTROL TYPE
Monitor and Evaluate Occurrences
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain logging and monitoring operations., CC ID: 00637

This Control has the following implementation support Control(s):
  • Establish, implement, and maintain an intrusion detection and prevention policy., CC ID: 15169
  • Install and maintain an Intrusion Detection System and/or Intrusion Prevention System., CC ID: 00581
  • Protect each person's right to privacy and civil liberties during intrusion management operations., CC ID: 10035
  • Determine if honeypots should be installed, and if so, where the honeypots should be placed., CC ID: 00582
  • Monitor systems for inappropriate usage and other security violations., CC ID: 00585
  • Update the intrusion detection capabilities and the incident response capabilities regularly., CC ID: 04653
  • Implement honeyclients to proactively seek for malicious websites and malicious code., CC ID: 10658
  • Implement detonation chambers, where appropriate., CC ID: 10670


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Based on the levels of impact of incidents or failures, the organization must define a reporting system and procedures that allow the most appropriate action to be taken quickly after an incident to keep the effects to a minimum. This is a control item that constitutes a greater risk to financial in… (App 2-1 Item Number IV.2(10), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • O60: The organization shall establish a monitoring system and determine the procedures for monitoring and the items to monitor. O79: The organization shall establish and maintain a monitoring group and define what to monitor in the computer center and at the head and branch offices and how to monito… (O60, O79, T48, T50.2(2), T51, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • The FI should implement network surveillance and security monitoring procedures with the use of network security devices, such as intrusion detection and prevention systems, to protect the FI against network intrusion attacks as well as provide alerts when an intrusion occurs. (§ 9.6.2, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • To facilitate early detection and prompt remediation of suspicious or malicious systems activities, the FI should implement detection and response mechanisms to perform scanning of indicators of compromise (IOCs) in a timely manner, and proactively monitor systems', including endpoint systems', proc… (§ 11.3.5, Technology Risk Management Guidelines, January 2021)
  • System owners are consulted before allowing targeted cyber intrusion activity to continue on a system for the purpose of collecting further information or evidence. (Security Control: 1609; Revision: 0, Australian Government Information Security Manual, March 2021)
  • System owners are consulted before allowing intrusion activity to continue on a system for the purpose of collecting further data or evidence. (Control: ISM-1609; Revision: 2, Australian Government Information Security Manual, June 2023)
  • System owners are consulted before allowing intrusion activity to continue on a system for the purpose of collecting further data or evidence. (Control: ISM-1609; Revision: 2, Australian Government Information Security Manual, September 2023)
  • The organization must develop, maintain, and implement tools and procedures that incorporate intrusion detection strategies for detecting potential cyber security incidents. (Control: 0120 Bullet 2, Australian Government Information Security Manual: Controls)
  • The organization must develop, implement, and maintain an intrusion detection and prevention strategy that includes intrusion detection and prevention measures. (Control: 0576 Bullet 1, Australian Government Information Security Manual: Controls)
  • The organization must develop, implement, and maintain an intrusion detection and prevention strategy that includes analyzing event logs, including Intrusion Detection System logs and Intrusion Prevention System logs. (Control: 0576 Bullet 2, Australian Government Information Security Manual: Controls)
  • The organization must develop, implement, and maintain an intrusion detection and prevention strategy that includes periodically auditing the intrusion detection and prevention procedures. (Control: 0576 Bullet 3, Australian Government Information Security Manual: Controls)
  • The organization must develop, implement, and maintain an intrusion detection and prevention strategy that includes information security awareness and training programs. (Control: 0576 Bullet 4, Australian Government Information Security Manual: Controls)
  • The organization must develop, implement, and maintain an intrusion detection and prevention strategy that includes a documented incident response plan. (Control: 0576 Bullet 5, Australian Government Information Security Manual: Controls)
  • The organization must develop, implement, and maintain an intrusion detection and prevention strategy that includes detecting cyber security incidents and attempted network intrusions on gateways and providing realtime alerts. (Control: 0576 Bullet 6, Australian Government Information Security Manual: Controls)
  • The organization should detect and report information technology security breaches in a timely way. (¶ 26(c), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • The policy framework should include the management of intrusion detection and intrusion protection. (¶ 27(d), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • The organization should document the incident monitoring procedures. (Attach E ¶ 3(f), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • outlining the different mechanisms put in place to detect ICT-related incidents, prevent their impact and provide protection from it; (Art. 6.8.(e), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • App 1 ¶ 6: The contractor shall notify the security authority when it or any of its employees discovers or suspects that an unauthorized person is seeking or has sought to directly or indirectly obtain information about any secret matter. App 1 Annex ¶ 6: The second party shall notify the security… (App 1 ¶ 6, App 1 Annex ¶ 6, The Contractual process, Version 5.0 October 2010)
  • Does the organization conduct 24x7 monitoring and intrusion detection as a part of the cyber intelligence gathering? (Table Row III.5, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • What actions does the organization take if a virus is discovered? (Table Row VIII.3, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • An intrusion detection system monitors network activity and reports suspicious activity. Either a host-based intrusion detection system or a network-based intrusion detection system should be implemented. (Pg 130, Mac OS X Security Configuration for version 10.4 or later, second edition, Second Edition)
  • The organization should implement a regulatory compliance program that responds promptly to detected problems and takes corrective action as needed. (CORE - 4(c), URAC Health Utilization Management Standards, Version 6)
  • Verify the use of Intrusion Detection Systems and/or Intrusion Prevention Systems and that all traffic in the cardholder data environment is monitored. (§ 11.4.a, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
  • Examine the system configurations and the network diagrams to verify methods have been implemented to monitor traffic at the cardholder data environment perimeter. (Testing Procedures § 11.4.a Bullet 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Examine the system configurations and the network diagrams to verify methods have been implemented to monitor traffic at the cardholder data environment critical points. (Testing Procedures § 11.4.a Bullet 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Verify the use of intrusion-detection systems and/or intrusion-prevention systems and that all traffic in the cardholder data environment is monitored. (§ 11.4.a Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Use intrusion-detection systems, and/or intrusion-prevention systems to monitor all traffic in the cardholder data environment and alert personnel to suspected compromises. (§ 11.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Intrusion detection techniques and/or intrusion prevention techniques must be used to detect and/or prevent network intrusions. (PCI DSS Requirements § 11.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Are intrusion-detection and/or intrusion-prevention techniques that detect and/or prevent intrusions into the network in place to monitor all traffic: - At the perimeter of the cardholder data environment, and - At critical points in the cardholder data environment (11.4 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • An organization will maintain a list of all wireless devices and personnel authorized to use the devices. (§ 4.6.1.C, Payment Card Industry (PCI) Information Supplement: PCI DSS Wireless Guideline)
  • Key technical controls that should be included in a well-managed IT environment are implementing and continuously monitoring intrusion and vulnerability assessment, prevention, and detection methods and regularly testing the intrusion detection system. (§ 5.3.5 ¶ 4, IIA Global Technology Audit Guide (GTAG) 1: Information Technology Controls)
  • The emergency response program should include the following: escalation protocols; evacuation planning and assembly; hazmat response and spill control; damage assessment and reporting; salvage and reclamation; medical response; and specialty issues, including first aid and fire brigades. (§ 6 ¶ 1, IIA Global Technology Audit Guide (GTAG) 10: Business Continuity Management)
  • The organization must implement an effective privacy program that includes plans to respond to detected problems and take corrective action. (§ 2.2 (Privacy Controls) ¶ 2, IIA Global Technology Audit Guide (GTAG) 5: Managing and Auditing Privacy Risks)
  • The organization must develop and maintain at least one strategic program for prevention and deterrence to deter, eliminate, avoid, or prevent the likelihood of a disruptive incident and its consequences and at least one strategic program for mitigation to minimize the effect of any disruptive incid… (§ 4.3.3 ¶ 5(a), § 4.3.3 ¶ 5(b), Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
  • Sensors should be designed to initiate alarms when the event being monitored for occurs, electrical power is lost, the device short circuits or grounds, the sensor fails, or the sensor's control panel is tampered with. Indoor units should operate from 32 degrees Fahrenheit to 120 degrees Fahrenheit.… (Pg 5-I-6, Protection of Assets Manual, ASIS International)
  • Regular reviews of servers, mobile devices, and consumer devices should be performed to ensure that emergency procedures are in place to deal with a malware-related information security incident. (CF.10.03.07d, The Standard of Good Practice for Information Security)
  • Intrusion detection mechanisms should identify activity typically associated with malware. (CF.10.06.03b, The Standard of Good Practice for Information Security)
  • Intrusion detection mechanisms should identify known attack characteristics (e.g., Denial of Service and buffer overflows). (CF.10.06.03c, The Standard of Good Practice for Information Security)
  • Network Intrusion Detection sensors (i.e., specialist hardware used to identify unauthorized activity in network traffic) should be protected against attack (e.g., by preventing the transmission of any outbound network traffic or by using a network tap to hide the presence of the sensor). (CF.10.06.06, The Standard of Good Practice for Information Security)
  • The organization's information security incident management process should comprise additional activities relating to customers, which include agreeing predetermined times (e.g., 24 hours a day, 365 days a year) that support will be available. (CF.05.01.09b, The Standard of Good Practice for Information Security)
  • Comprehensive continuity and contingency plans should be developed to deal with the possible compromise or suspected compromise of the Public Key Infrastructure (e.g., invalidate the Root Certification Authority and any sub-certification authorities, and revoke all corresponding digital certificates… (CF.08.06.09b, The Standard of Good Practice for Information Security)
  • Threats relating to extraction of information should be mitigated by augmenting the organization's information security incident management Process (e.g., by adding specific cybercrime-related procedures and guidelines). (CF.11.02.06a, The Standard of Good Practice for Information Security)
  • Intrusion detection mechanisms should be employed for critical business applications, systems, and networks to identify predetermined and new types of attack. (CF.10.06.01, The Standard of Good Practice for Information Security)
  • The crisis management process should include a method of gaining approval for recommended actions within a critical timescale. (CF.20.04.05a, The Standard of Good Practice for Information Security)
  • The crisis management process should include a method of enabling critical decisions to be made promptly. (CF.20.04.05b, The Standard of Good Practice for Information Security)
  • Regular reviews of servers, mobile devices, and consumer devices should be performed to ensure that emergency procedures are in place to deal with a malware-related information security incident. (CF.10.03.07d, The Standard of Good Practice for Information Security, 2013)
  • Intrusion detection mechanisms should identify activity typically associated with malware. (CF.10.06.03b, The Standard of Good Practice for Information Security, 2013)
  • Intrusion detection mechanisms should identify known attack characteristics (e.g., Denial of Service and buffer overflows). (CF.10.06.03c, The Standard of Good Practice for Information Security, 2013)
  • Network Intrusion Detection sensors (i.e., specialist hardware used to identify unauthorized activity in network traffic) should be protected against attack (e.g., by preventing the transmission of any outbound network traffic or by using a network tap to hide the presence of the sensor). (CF.10.06.06, The Standard of Good Practice for Information Security, 2013)
  • The organization's information security incident management process should comprise additional activities relating to customers, which include agreeing predetermined times (e.g., 24 hours a day, 365 days a year) that support will be available. (CF.05.01.09b, The Standard of Good Practice for Information Security, 2013)
  • Comprehensive continuity and contingency plans should be developed to deal with the possible compromise or suspected compromise of the Public Key Infrastructure (e.g., invalidate the Root Certification Authority and any sub-certification authorities, and revoke all corresponding digital certificates… (CF.08.06.09b, The Standard of Good Practice for Information Security, 2013)
  • Threats relating to extraction of information should be mitigated by augmenting the organization's information security incident management Process (e.g., by adding specific cybercrime-related procedures and guidelines). (CF.11.02.06a, The Standard of Good Practice for Information Security, 2013)
  • Intrusion detection mechanisms should be employed for critical business applications, systems, and networks to identify predetermined and new types of attack. (CF.10.06.01, The Standard of Good Practice for Information Security, 2013)
  • The crisis management process should include a method of gaining approval for recommended actions within a critical timescale. (CF.20.04.05a, The Standard of Good Practice for Information Security, 2013)
  • The crisis management process should include a method of enabling critical decisions to be made promptly. (CF.20.04.05b, The Standard of Good Practice for Information Security, 2013)
  • Security information and event management tools should be configured (often referred to as tuning) to identify expected events (to help reduce review and investigation activities for legitimate business events). (CF.10.04.09a, The Standard of Good Practice for Information Security, 2013)
  • Security information and event management tools should be configured (often referred to as tuning) to detect unexpected events (to help reduce the likelihood of false positives and false negatives). (CF.10.04.09b, The Standard of Good Practice for Information Security, 2013)
  • The network monitoring systems should be focused on trying to detect unexplained packets that are bound for the Internet. They may be an indication of malicious code being installed on the system. (Special Action 1.3, SANS Computer Security Incident Handling, Version 2.3.1)
  • The organization should develop plans for deploying filters on internal networks to stop an intruder or malware from spreading. (Critical Control 13.11, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • Define, implement and evaluate processes, procedures and defense-in-depth techniques for protection, detection, and timely response to network-based attacks. (IVS-09, Cloud Controls Matrix, v4.0)
  • Define, implement and evaluate processes, procedures and technical measures to update detection tools, threat signatures, and indicators of compromise on a weekly, or more frequent basis. (TVM-04, Cloud Controls Matrix, v4.0)
  • ¶ 8.2.4(6) Network Management. An organization should implement safeguards to achieve network management, which includes planning, operation and administration of networks. The proper configuration and administration of networks is an effective means to reduce risks. Safeguards in the area of netwo… (¶ 8.2.4(6), ¶ 9.2 Table Row "Intrusion Detection", ISO 13335-4 Information technology - Guidelines for the management of IT Security - Part 4: Selection of safeguards, 2000)
  • Intrusion Detection. As network connections increase, it will become easier for intruders to: • find multiple ways to penetrate an organization's IT systems and networks, • disguise their initial point of access, and • access through networks and target internal IT systems. Further, intruders … (¶ 13.5, ISO 13335-5 Information technology - Guidelines for the management of IT Security - Part 5: Management guidance on network security, 2001)
  • The audit log should have the ability to use heuristics, signature events, and intrusion scenarios to determine if a violation is imminent. Events that can lead to intrusion include the deletion of the password file or the attempt by a remote to gain administrative privileges. (§ 8.3, § C.4, ISO 15408-2 Common Criteria for Information Technology Security Evaluation Part 2, 2008)
  • To deal with information security incidents and weaknesses, including physical ones, the organization should establish a formal set of procedures that includes detecting all information security incidents and weaknesses, along with the related escalation procedures and channels; logging and reportin… (§ 5.7.1, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
  • The information system discovers, collects, distributes, and uses indicators of compromise. (SI-4(24) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The entity's security policies include identifying and mitigating security breaches and other incidents. (Security Prin. and Criteria Table § 1.2 j, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The entity's system availability and related security policies include identifying and mitigating system availability and related security breaches and other incidents. (Availability Prin. and Criteria Table § 1.2 j, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The entity's system processing integrity and related security policies include identifying and mitigating errors and omissions and other system processing integrity and related security breaches and other incidents. (Processing Integrity Prin. and Criteria Table § 1.2 j, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The entity's policies related to the system's protection of confidential information and security include handling confidentiality and related security breaches and other incidents. (Confidentiality Prin. and Criteria Table § 1.2 j, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The privacy incident and breach management program should include procedures to identify, manage, and resolve privacy incidents and breaches. (Table Ref 1.2.7, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The security program, in relation to protecting personal information, should include procedures for detecting actual and attempted intrusions and attacks. (Table Ref 8.2.1, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The organization must monitor and respond to incidents. (§ 14, Corporate Information Security Working Group: Report of the best practices and metrics teams; subcommittee on technology, information policy, intergovernmental relations and the census; Government Reform Committee, United States House of Representatives)
  • An incident management system that directs, controls, and coordinates response and recovery operations must be developed by the organization. (§ 5.9.1, Disaster / Emergency Management and Business Continuity, NFPA 1600, 2007 Edition)
  • Does the Intrusion Detection System include event feeds into the incident management process? (§ G.11.18.4, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Does the Intrusion Prevention System include event feeds into the incident management process? (§ G.11.18.4, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Are there documented policies and procedures to detect and report unauthorized acquisition, use, or disclosure of Protected Health Information to a client (Covered Entity)? (§ P.2.2, Shared Assessments Standardized Information Gathering Questionnaire - P. Privacy, 7.0)
  • CMS business partners shall use security policies and procedures to determine if a security incident is reportable. After receiving a report, the system security officer shall immediately analyze the situation to determine if an incident occurred. Reportable incidents include unauthorized disclosure… (§ 3.6 ¶ 2, CMS Business Partners Systems Security Manual, Rev. 10)
  • CSR 1.6.1: The organization must implement the following controls to identify and report security incidents: security incident procedures; response procedures; reporting procedures; procedures for regularly reviewing information system activity records; and processes for modifying incident handling … (CSR 1.6.1, CSR 2.6.1, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Monitoring systems and procedures to detect actual and attempted attacks on or intrusions into customer information systems; (§ III.C(1)(f), 12 CFR Appendix F to Part 225 - Interagency Guidelines Establishing Information Security Standards)
  • Controls and measures should be implemented to identify and report suspicious transactions. (Pg 11, Obj 13 (Processes), Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000)
  • Review the organization's system for monitoring, identifying, reviewing, and reporting suspicious activities to ensure it is adequate. (Pg 11, Obj 13 (Processes), Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000)
  • Measures appropriate to the sensitivity of the data and the size, scope, and complexity of the business entity's activities must be developed to detect all actual and attempted unlawful, fraudulent, or unauthorized access to or use, disclosure, or alteration of sensitive personally identifiable info… (§ 302(a)(4)(B)(ii), Leahy Personal Data Privacy and Security Act of 2009, Senate Bill 1490, 111th Congress)
  • The organization's IT system will contain multilevel safeguards, allowing the system to both log and detect viruses, security violations, and tampering. (Pg 46, C-TPAT Supply Chain Security Best Practices Catalog)
  • The Information Assurance Officer must develop procedures for remote users for incident handling and response. (§ 3.2, DISA Secure Remote Computing Security Technical Implementation Guide, Version 1 Release 2)
  • When a Classified Message Incident (CMI) occurs on a Sensa Windows Mobile device or system, an organization must take the following actions. All components must establish Incident Handling and Response procedures. A CMI or "data spill" occurs when a classified e-mail is inadvertently sent on an uncl… (§ 2.1 (WIR1010), DISA Wireless STIG Apriva Sensa Secure Wireless Email System Security Checklist, V5R2.2, Version 5 Release 2.2)
  • If a classified message is sent to an unclassified system, procedures should be in effect for incident handling and response. The BlackBerry Enterprise Server and the BlackBerry should be treated as classified equipment until they are destroyed or sanitized. (§ 2.1 (WIR1010), DISA WIRELESS STIG BLACKBERRY SECURITY CHECKLIST, Version 5, Release 2.4, Version 5 Release 2.4)
  • A Classified Message Incident (CMI) occurs when a classified message is sent on an unclassified network and received on a Windows Mobile device. Windows Mobile devices are not authorized for classified data. When this occurs, the Good Mobile Management, Good Mobile Intranet and Mail server(s) and Mi… (§ 2.2 (WIR3010), DISA Wireless STIG Motorola Good Mobile Wireless Email System Security Checklist, Version 5 Release 2.3)
  • A Classified Message Incident (CMI) occurs when a classified message is sent on an unclassified network and received on a Windows Mobile device. Windows Mobile devices are not authorized for classified data. When this occurs, the Sensa Management and Mail server(s) and Microsoft Exchange and Trust D… (§ 2.2 (WIR2010), DISA Wireless STIG Windows Mobile Messaging Wireless EChecklist Version 5, Release 2.4, Version 5 Release 2.4)
  • Use knowledge of attacker tactics, techniques, and procedures in incident response planning and execution. (IR.4.100, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Use knowledge of attacker tactics, techniques, and procedures in incident response planning and execution. (IR.4.100, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Suspected or known security incidents shall be identified and responded to, harmful effects shall be mitigated to the extent practicable, and the security incidents and its outcomes shall be documented. (§ 164.308(a)(6)(ii), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • The facility must deter, detect, and delay attacks to create time between when the attack is detected and when the attack is successful. (§ 27.230(a)(4), 6 CFR Part 27, Chemical Facility Anti-Terrorism Standards (CFATS), Department of Homeland Security)
  • Intrusion Detection Programs are encouraged. (Pg 47, The National Strategy to Secure Cyberspace, February 2003)
  • An agency shall establish an operational incident handling capability for agency Information Systems that includes preparation, detection, analysis, containment, recovery, and user response activities. (§ 5.3 ¶ 1(i), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The federal bureau of investigation criminal justice information services division shall manage and maintain the Computer Security Incident Response Capability. (§ 5.3.1.1.1(1), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The Incident Command System (ICS) is used to effectively and efficiently manage and integrate personnel, facilities, equipment, and more. The ICS must be scalable, perform according to a standard set of procedures, use common procedures and terminology to allow different organizations to work togeth… (Chap II.A.1, National Incident Management System (NIMS), Department of Homeland Security, December 2008)
  • Determine whether the intrusion detection and incident response plan considers facility and systems changes that may exist when alternate facilities are used. (Exam Tier I Obj 7.3, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • The organization should have procedures to identify undetected system intrusions. (Pg 29, FFIEC IT Examination Handbook - E-Banking, August 2003)
  • An intrusion detection system should be implemented and configured to protect the retail payment system from unauthorized access. (Pg 33, FFIEC IT Examination Handbook - Retail Payment Systems, March 2004)
  • Says to monitor actual or attempted unauthorized, unusual, or sensitive access. SS-2.1 states that policies and techniques should be implemented that make it possible to use and monitor use of system utilities. All policies should be documented and staff should be made aware of them. Policies shoul… (AC-4.2, SS-2.1, Federal Information System Controls Audit Manual (FISCAM), February 2009)
  • The service provider must define any additional compromise indicators. (Column F: SI-4(5), FedRAMP Baseline Security Controls)
  • The information system discovers, collects, distributes, and uses indicators of compromise. (SI-4(24) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization must implement intrusion detection tools and techniques to detect attacks, identify unauthorized use, and monitor system events. (§ 5.6.16, Exhibit 6, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Are all platforms, e.g., UNIX, novell, and Windows NT, being monitored? (IT - IDS IPS Q 12, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Does the Credit Union have implemented policies and procedures for addressing incidents and events? (IT - Security Program Q 4, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • There are possible precursors of a malicious code attack. These will help detect an incident. Table 5-1 lists possible precursors of a malicious code attack, explains why actions might be performed, and provides recommended responses to potentially prevent an incident. Malicious actions and potentia… (§ 5.3, Computer Security Incident Handling Guide, NIST SP 800-61, Revision 1)
  • WLANs should have intrusion detection systems installed and implemented. (Table 8-1 Item 10, Table 8-2 Item 20, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST SP 800-97, February 2007)
  • Calls for System and Information Integrity (SI): Organizations must: (i) identify, report, and correct information and information system flaws in a timely manner; (ii) provide protection from malicious code at appropriate locations within organizational information systems; and (iii) monitor inform… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed. (PR.IP-9, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0)
  • Detected events are analyzed to understand attack targets and methods. (DE.AE-2, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0)
  • The organization should implement a wireless intrusion detection and prevention system (WIDPS) for WLANs. WIDPS should be updated to recognize IEEE 802.11n, so APs will be recognized and not reported as being rogue. (§ 6.3.2, Guide to Securing Legacy IEEE 802.11 Wireless Networks, NIST SP 800-48, Revision 1)
  • There are two basic types of intrusion detection system, host-based IDS and network-based IDS. The section discusses the flaws in each system. It offers general advice, such as ensuring someone in an organization has a thorough understanding of the flow of data across networks and systems so they ca… (§ 3.7, Guidelines on Firewalls and Firewall Policy, NIST SP 800-41, January 2002)
  • Determine tactics, techniques, and procedures (TTPs) for intrusion sets. (T0290, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • The organization must implement an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery. (App F § IR-4.a, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should use automated mechanisms to support the incident handling process. (App F § IR-4(1), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must heighten monitoring activities whenever there is an indication of increased risk to operations, assets, individuals, organizations, or the nation based on intelligence information, law enforcement information, or other credible information sources. (App F § SI-4.d, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must obtain a legal opinion about monitoring activities in accordance with federal laws, executive orders, policies, directives, or regulations. (App F § SI-4.e, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should use compensating controls in accordance with the general tailoring guidance when the Industrial Control System cannot prevent non-privileged users from circumventing the intrusion detection and prevention capabilities. (App I § SI-4 Control Enhancement: (6), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Determine tactics, techniques, and procedures (TTPs) for intrusion sets. (T0290, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization employs automated mechanisms to support the incident handling process. (IR-4(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization employs automated mechanisms to support the incident handling process. (IR-4(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization employs automated mechanisms to support the incident handling process. (IR-4(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system discovers, collects, distributes, and uses indicators of compromise. (SI-4(24) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Discover, collect, and distribute to [Assignment: organization-defined personnel or roles], indicators of compromise provided by [Assignment: organization-defined sources]. (SI-4(24) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Discover, collect, and distribute to [Assignment: organization-defined personnel or roles], indicators of compromise provided by [Assignment: organization-defined sources]. (SI-4(24) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • The cyber security program must be able to apply and maintain a defense-in-depth protective strategy to ensure it can detect, respond to, and recover from cyber attacks. (§ 73.54(c)(2), 10 CFR Part 73.54, Protection of digital computer and communication systems and networks)
  • The organization should have procedures in place for handling exception situations and files that exceed the exposure limit. (Exposure Limits, ACH (Automated Clearing House) Operating Rules OCC Bulletin 2004-58, December 2004)
  • Monitoring systems and procedures to detect actual and attempted attacks on or intrusions into customer information systems; (§ III. C. 1.(f), Appendix B of OCC 12 CFR Part 30, Safety and Soundness Standards)
  • The security plan shall include capabilities to help users when a security incident occurs and to share information about common vulnerabilities and threats. (§ A.3.a.2.d, Appendix III to OMB Circular No. A-130: Security of Federal Automated Information Resources)
  • Use intrusion detection technology and procedures to ensure rapid detection of unauthorized access to higher-risk personal information. (Part I ¶ 9, California OPP Recommended Practices on Notification of Security Breach, May 2008)
  • prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity, preserve the integrity or security of systems, or investigate, report, or prosecute those responsible for any of these actions; (§ Section 11. (1)(i), Montana Consumer Data Privacy Act 2023)
  • Detecting, preventing and responding to intrusions; (§ 646A.622(2)(d)(C)(ii), Oregon Revised Statutes, Chapter 646a, Sections 646A.600 thru 646A.624, Identity Theft Protection Act, 2007 Statutes)