Back

Monitor for and react to when suspicious activities are detected.


CONTROL ID
00586
CONTROL TYPE
Monitor and Evaluate Occurrences
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain logging and monitoring operations., CC ID: 00637

This Control has the following implementation support Control(s):
  • Erase payment applications when suspicious activity is confirmed., CC ID: 12193
  • Report a data loss event when non-truncated payment card numbers are outputted., CC ID: 04741
  • Report a data loss event after a security incident is detected and there are indications that the unauthorized person has control of electronic information., CC ID: 04727
  • Report a data loss event after a security incident is detected and there are indications that the unauthorized person has control of printed records., CC ID: 04728
  • Report a data loss event after a security incident is detected and there are indications that the unauthorized person has accessed information in either paper or electronic form., CC ID: 04740
  • Report a data loss event after a security incident is detected and there are indications that the information has been or will likely be used in an unauthorized manner., CC ID: 04729
  • Report a data loss event after a security incident is detected and there are indications that the information has been or will likely be used in an unauthorized manner that could cause substantial economic impact., CC ID: 04742


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • As regards staff members who are allowed to transmit data to outside networks/systems through legitimate channels such as corporate e-mails, AIs should put in place effective system controls for prompt detection of unusual or potentially suspicious activities regarding access or transmission of cons… (Annex D. ¶ 2, Hong Kong Monetary Authority Customer Data Protection, 14 October 2014)
  • AIs should have a robust and effective automated fraud monitoring mechanism in place to detect, in a timely manner , suspicious Internet banking transactions and unusual activities ideally after taking into account their customers' Internet banking usage and behavioural patterns. For e-banking servi… (§ 8.1.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • The organization shall develop response procedures to deal with any illicit acts that are detected in the future. (O103.3, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • It is necessary to specify a procedure that should be followed when illicit acts are detected. (P112.4., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • For the purpose of preventing crimes such as the installation of illicit card information readers, the convenience store ATM and its surroundings should be checked during patrolling activities for any suspicious devices. In addition, in consideration of the recent crime trends, the patrolling person… (P127.3., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Network Behaviour Analysis (NBA) - Network wide anomaly-detection tools will provide data on traffic patterns that are indicative of an incident. Once an incident has been identified through the use of these tools, it is important to capture that information for the purposes of supporting further mi… (Critical components of information security 17) xvi.c., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Banks providing internet banking should be responsive to unusual network traffic conditions/system performance and sudden surge in system resource utilization which could be an indication of a DDoS attack. Consequently, the success of any pre-emptive and reactive actions depends on the deployment of… (Critical components of information security 26) a., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Similar to other systems, the FI should monitor IoT devices for suspicious or anomalous system activities so that prompt actions can be taken to isolate compromised devices. (§ 11.5.5, Technology Risk Management Guidelines, January 2021)
  • A process should be established to investigate suspicious transactions or payments and to ensure issues are adequately and promptly addressed. (§ 14.3.2, Technology Risk Management Guidelines, January 2021)
  • A process should be established to ensure timely escalation to relevant stakeholders regarding suspicious or anomalous system activities or user behaviour. (§ 12.2.6, Technology Risk Management Guidelines, January 2021)
  • Cyber security events and anomalous activities are detected, collected, correlated and analysed in a timely manner. (D1:, Australian Government Information Security Manual, March 2021)
  • The procedures for detecting potential cyber security incident should be included in the Standard Operating Procedures for the information technology security officer. (Control: 0790 Table Row "Cyber security incidents", Australian Government Information Security Manual: Controls)
  • Detection mechanisms typically include scanning, sensing and logging mechanisms which can be used to identify potential information security incidents. Monitoring processes could include the identification of unusual patterns of behaviour and logging that facilitates investigation and preserves fore… (67., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • timely detection and reporting of IT security breaches. This minimises the time in which a compromise of an IT asset can impact on a regulated institution; (¶ 26(c), APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • Financial entities shall have in place mechanisms to promptly detect anomalous activities, in accordance with Article 17, including ICT network performance issues and ICT-related incidents, and to identify potential material single points of failure (Art. 10.1. ¶ 1, Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • Test and monitor the IT security implementation in a proactive way. IT security should be reaccredited in a timely manner to ensure that the approved enterprise's information security baseline is maintained. A logging and monitoring function will enable the early prevention and/or detection and subs… (DS5.5 Security Testing, Surveillance and Monitoring, CobiT, Version 4.1)
  • Implement a methodology for the timely identification of attack patterns and undesirable behavior across systems—for example, using coordinated manual reviews and/or centrally managed or automated logcorrelation tools—to include at least the following: (A3.5.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Identification of anomalies or suspicious activity as it occurs (A3.5.1 Bullet 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • A methodology is implemented for the prompt identification of attack patterns and undesirable behavior across systems that includes: (A3.5.1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Identification of anomalies or suspicious activity as it occurs. (A3.5.1 Bullet 1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Examine documentation and interview personnel to verify a methodology is defined and implemented to identify attack patterns and undesirable behavior across systems in a prompt manner, and includes all elements specified in this requirement. (A3.5.1.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • The organization must develop resource management objectives and timeframes when the following will be needed from the organization's resources and that of a partner: personnel, response times, training, facilities, equipment, funding, liability control, insurance, materials, and expert knowledge. (§ 4.4.1 ¶ 4(c), Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
  • Threats relating to exploitation of information should be mitigated by marking sensitive information (e.g., using digital watermarking or information hiding techniques) to help investigators follow the information flow and identify connections between different individuals or groups involved in an a… (CF.11.02.07b, The Standard of Good Practice for Information Security)
  • Threats relating to exploitation of information should be mitigated by marking sensitive information (e.g., using digital watermarking or information hiding techniques) to help investigators follow the information flow and identify connections between different individuals or groups involved in an a… (CF.11.02.07b, The Standard of Good Practice for Information Security, 2013)
  • Verify that the application monitors for unusual events or activity from a business logic perspective. For example, attempts to perform actions out of order or actions which a normal user would never attempt. (11.1.7, Application Security Verification Standard 4.0.3, 4.0.3)
  • Monitor security audit logs to detect activity outside of typical or expected patterns. Establish and follow a defined process to review and take appropriate and timely actions on detected anomalies. (LOG-05, Cloud Controls Matrix, v4.0)
  • react to the nonconformity, and as applicable: (§ 10.1 ¶ 1 a), ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • react in a timely manner to the incident or nonconformity and, as applicable: (§ 10.2 ¶ 2 a), ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • react to the nonconformity or incident, and, as applicable: (Section 10.1 ¶ 1(a), ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • react to the nonconformity, and as applicable: (§ 10.2 ¶ 1 a), ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements)
  • The organization's controls include monitoring and detection of anomalous activities and potential cybersecurity events across the organization's physical environment and infrastructure, including unauthorized physical access to high-risk or confidential systems. (DE.CM-2.1, CRI Profile, v1.2)
  • The organization's controls actively monitor personnel (both authorized and unauthorized) for access, authentication, usage, connections, devices, and anomalous behavior to rapidly detect potential cybersecurity events. (DE.CM-3.1, CRI Profile, v1.2)
  • The network is monitored to detect potential cybersecurity events. (DE.CM-1, CRI Profile, v1.2)
  • The physical environment is monitored to detect potential cybersecurity events. (DE.CM-2, CRI Profile, v1.2)
  • The organization's controls actively monitor personnel (both authorized and unauthorized) for access, authentication, usage, connections, devices, and anomalous behavior to rapidly detect potential cybersecurity events. (DE.CM-3.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The organization's controls include monitoring and detection of anomalous activities and potential cybersecurity events across the organization's physical environment and infrastructure, including unauthorized physical access to high-risk or confidential systems. (DE.CM-2.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Your firm's Identity Theft Prevention Plan must address how, in connection with opening and maintenance of its covered accounts, it will detect the Red Flags it identified. (§ V., FTC FACT Act Red Flags Rule Template, July 1, 2009)
  • Is there an incident identification process? (§ J.1.2.11, Shared Assessments Standardized Information Gathering Questionnaire - J. Incident Event and Communications Management, 7.0)
  • Does the incident response plan include actions to be taken in the event of an information security event? (§ J.1.2.7, Shared Assessments Standardized Information Gathering Questionnaire - J. Incident Event and Communications Management, 7.0)
  • Authenticating customers, monitoring transactions, and verifying the validity of change of address requests, in the case of existing covered accounts. (Appendix A-III. ¶ 1 (b), 17 CFR Part 248 Subpart C, Regulation S-ID - Identity Theft Red Flags)
  • Monitoring a covered account for evidence of identity theft; (Appendix A-IV. ¶ 1 (a), 17 CFR Part 248 Subpart C, Regulation S-ID - Identity Theft Red Flags)
  • Not attempting to collect on a covered account or not selling a covered account to a debt collector; (Appendix A-IV. ¶ 1 (g), 17 CFR Part 248 Subpart C, Regulation S-ID - Identity Theft Red Flags)
  • procedures for detecting, reporting, and responding to security incidents, which— (§ 3554(b)(7), Federal Information Security Modernization Act of 2014)
  • Analyze system behavior to detect and mitigate execution of normal system commands and scripts that indicate malicious actions. (SI.5.222, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Security and monitoring processes to analyze data traffic and detect anomalous activity. (V Action Summary ¶ 2 Bullet 5, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Implements security and monitoring throughout the entity's network, analyzes incoming and outgoing data traffic, and alerts authorized personnel if anomalous activity is detected. Additionally, determine whether the following security and monitoring mitigation strategies are in place: (App A Objective 13:3h, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Monitors for anomalous database activities. (App A Objective 3:6h Bullet 4, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Assess whether the institution regularly updates hot card or customer suspect lists and distributes them to branch banking locations. (App A Tier 2 Objectives and Procedures G.8, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Layered security controls should include processes designed to detect anomalies and effectively respond to suspicious or anomalous activity related to: (Detect and Respond to Suspicious Activity ¶ 1, Supplement to Authentication in an Internet Banking Environment)
  • initiation of electronic transactions involving the transfer of funds to other parties. (Detect and Respond to Suspicious Activity ¶ 1 Bullet 2, Supplement to Authentication in an Internet Banking Environment)
  • The Identity Theft Prevention Program must include reasonable policies and procedures to respond to all detected Red Flags to prevent and mitigate identity theft. The financial institution or creditor should consider aggravating factors that may heighten identity theft risk when determining a respon… (§ 41.90(d)(2)(iii), § 222.90(d)(2)(iii), § 334.90(d)(2)(iii), § 571.90(d)(2)(iii), § 681.2(d)(2)(iii), § 717.90(d)(2)(iii), Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003, Final Rule, November 9, 2007)
  • Indicates that information security responsibilities should be clearly assigned. Responsibilities to ensure the assigning of include information resource owners and users, information resources management and data processing personnel, senior management and security administrators. (SP-3.2, Federal Information System Controls Audit Manual (FISCAM), February 2009)
  • Suspicious Activity Report. A credit union must file a report if it knows, suspects, or has reason to suspect that any crime or any suspicious transaction related to money laundering activity or a violation of the Bank Secrecy Act has occurred. For the purposes of this paragraph (c) credit union mea… (§ 748.1 (c), 12 CFR Part 748, NCUA Guidelines for Safeguarding Member Information, July 1, 2001)
  • Reportable activity. Transaction for purposes of this paragraph means a deposit, withdrawal, transfer between accounts, exchange of currency, loan, extension of credit, purchase or sale of any stock, bond, share certificate, or other monetary instrument or investment security, or any other payment, … (§ 748.1 (c)(1), 12 CFR Part 748, NCUA Guidelines for Safeguarding Member Information, July 1, 2001)
  • Transactions aggregating $5,000 or more where a suspect can be identified. Whenever the credit union detects any known or suspected Federal criminal violation, or pattern of criminal violations, committed or attempted against the credit union or involving a transaction or transactions conducted thro… (§ 748.1 (c)(1)(ii), 12 CFR Part 748, NCUA Guidelines for Safeguarding Member Information, July 1, 2001)
  • Transactions aggregating $25,000 or more regardless of potential suspects. Whenever the credit union detects any known or suspected Federal criminal violation, or pattern of criminal violations, committed or attempted against the credit union or involving a transaction or transactions conducted thro… (§ 748.1 (c)(1)(iii), 12 CFR Part 748, NCUA Guidelines for Safeguarding Member Information, July 1, 2001)
  • Insider abuse involving any amount. Whenever the credit union detects any known or suspected Federal criminal violations, or pattern of criminal violations, committed or attempted against the credit union or involving a transaction or transactions conducted through the credit union, where the credit… (§ 748.1 (c)(1)(i), 12 CFR Part 748, NCUA Guidelines for Safeguarding Member Information, July 1, 2001)
  • Identify and respond to each suspected security incident. (§ 4.6.3 Bullet 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
  • The cyber security program must be able to implement security controls to protect the assets in section 73.54(b)(1) from cyber attacks. (§ 73.54(c)(1), 10 CFR Part 73.54, Protection of digital computer and communication systems and networks)
  • If your assessment leads you to reasonably believe that notice-triggering information was acquired by an unauthorized person, implement your notification plan. (Part III Whom to Notify, California OPP Recommended Practices on Notification of Security Breach, May 2008)