Back

Establish, implement, and maintain logging and monitoring operations.


CONTROL ID
00637
CONTROL TYPE
Log Management
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Monitoring and measurement, CC ID: 00636

This Control has the following implementation support Control(s):
  • Establish, implement, and maintain an audit and accountability policy., CC ID: 14035
  • Enable monitoring and logging operations on all assets that meet the organizational criteria to maintain event logs., CC ID: 06312
  • Monitor and evaluate system telemetry data., CC ID: 14929
  • Establish, implement, and maintain an intrusion detection and prevention program., CC ID: 15211
  • Establish, implement, and maintain intrusion management operations., CC ID: 00580
  • Define and assign log management roles and responsibilities., CC ID: 06311
  • Document and communicate the log locations to the owning entity., CC ID: 12047
  • Make logs available for review by the owning entity., CC ID: 12046
  • Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information., CC ID: 00638
  • Monitor and evaluate system performance., CC ID: 00651
  • Monitor for and react to when suspicious activities are detected., CC ID: 00586
  • Establish, implement, and maintain network monitoring operations., CC ID: 16444
  • Monitor and evaluate the effectiveness of detection tools., CC ID: 13505
  • Monitor and review retail payment activities, as necessary., CC ID: 13541
  • Assess customer satisfaction., CC ID: 00652
  • Establish, implement, and maintain a continuous monitoring program for configuration management., CC ID: 06757


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The key risks and performance indicators should be monitored regularly to ensure the internal controls are effective. (¶ 3.2.4, The King Committee on Corporate Governance, Executive Summary of the King Report 2002, March 2002)
  • AIs should establish a systematic monitoring process (such as subscribing to reputable sources for online security news/alerts including information relating to latest attack techniques; documenting the monitoring and analysis works performed, etc.) to closely monitor emergent security threats that … (§ 5.4.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • AIs should establish a systematic monitoring process to closely monitor emergent security threats that are relevant to their Internet infrastructure, application systems and other relevant system components and operations. (§ 5.4.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • To confirm and control the safety, reliability, effectiveness, efficiency, resources, etc. of an information system, the organization must develop a monitoring framework for system operations. This is a control item that constitutes a greater risk to financial information. This is an IT general cont… (App 2-1 Item Number IV.2(15), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • O18.5: The organization shall monitor the system for the use of special IDs for privileged access. O52: The organization shall define procedures for monitoring transactions. O60: The organization shall establish a monitoring system and determine the procedures for monitoring and the items to monitor… (O18.5, 052, O60, T20, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • In some cases, depending on the structure of the computer center and the operational requirements for the central control and monitoring station, the functions of the central control and monitoring station are shared by several rooms or stations such as a central monitoring room to control the power… (F81.2. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • For accountability purposes, a bank should ensure that users and IT assets are uniquely identified and their actions are auditable. (Critical components of information security 5) (viii), Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • It is important that controls are implemented to maintain traceability and integrity for all software codes that are moved between IT environments. (§ 7.6.2, Technology Risk Management Guidelines, January 2021)
  • The organization should ensure that Information Systems monitoring activities are performed on accredited systems. (Control: 0086, Australian Government Information Security Manual: Controls)
  • The organization must develop a hardened Standard Operating Environment for servers and workstations that includes configuring remote logging or transferring local log events to a central server. (Control: 0380 Bullet 7, Australian Government Information Security Manual: Controls)
  • The organization should establish and maintain an access register that records the accounting activities of the cryptographic system. (Control: 1005 Bullet 4, Australian Government Information Security Manual: Controls)
  • The organization should establish and maintain an access register that records the Audit activities of the cryptographic system. (Control: 1005 Bullet 5, Australian Government Information Security Manual: Controls)
  • The organization should monitor and maintain an audit log of all access to Information Technology assets. (¶ 44(g), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • The organization should implement a monitoring process for identifying events and unusual behavior patterns. (¶ 65, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • The organization should include customer profiling and environmental profiling in the monitoring process. (¶ 66(b), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • A regulated institution would normally have monitoring processes in place to identify events and unusual patterns of behaviour that could impact on the security of IT assets. The strength of the monitoring controls would typically be commensurate with the criticality and sensitivity of an IT asset. … (¶ 65, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • environment and customer profiling; (¶ 66(b), APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • The organization should develop, implement, and maintain procedures to detect potential security incidents by implementing auditing on all systems. The auditing requirements should include a list of events to be logged; how to protect the audit log; back-up procedures; the auditing schedule; what ac… (§ 2.8.17, § 3.5.47, § 3.7.12, § 3.7.26, Australian Government ICT Security Manual (ACSI 33))
  • Regular monitoring and auditing of the record keeping system to assess its performance is called for. (§ G.4.1.5, The DIRKS Manual: A Strategic Approach to Managing Business Information, rev. July 2003)
  • Financial institutions should implement logging and monitoring procedures for critical ICT operations to allow the detection, analysis and correction of errors. (3.5 52, Final Report EBA Guidelines on ICT and security risk management)
  • ICT performance and capacity planning and monitoring solutions for critical ICT systems and services with defined availability requirements, to detect important performance and capacity constraints in a timely manner; (Title 3 3.3.4(a) 54.b(vii), Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • the institution has implemented a process and underlying procedures for the identification (e.g. 'risk control self-assessments' (RCSA), risk scenario analysis) and monitoring of the involved material ICT risks; and (Title 3 3.3.1 49.c, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • user and administrative activity logging to enable effective monitoring and the timely detection and response to unauthorised activity; to assist in or to conduct forensic investigations of security incidents. The institution should have in place logging policies that define appropriate types of log… (Title 3 3.3.4(b) 55.e, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • fully understand the capacities and limitations of the high-risk AI system and be able to duly monitor its operation, so that signs of anomalies, dysfunctions and unexpected performance can be detected and addressed as soon as possible; (Article 14 4(a), Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • High-risk AI systems shall be designed and developed with capabilities enabling the automatic recording of events ('logs') while the high-risk AI systems is operating. Those logging capabilities shall conform to recognised standards or common specifications. (Article 12 1., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • monitoring, auditing and testing; (Art. 16.1(d), Directive (EU) 2016/1148 OF The European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union)
  • With regard to using the network plan for the structure analysis, the next step entails comparing the existing network plan (or partial plans, if the overall plan has been divided into smaller sections to make it easier to read) with the actual existing IT structure and if necessary updating it to r… (§ 8.1.4 Subsection 1 ¶ 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Ensuring proper regular operations including appropriate safeguards for planning and monitoring the capacity, protection against malware, logging and monitoring events as well as handling vulnerabilities, malfunctions and errors. (Section 5.6 Objective, Cloud Computing Compliance Controls Catalogue (C5))
  • The generated logs are stored on central logging servers on which they are protected against unauthorised access and changes. Logged data must be deleted immediately once they are no longer required to fufill the purpose. Authentication takes place between the logging servers and the logged assets i… (Section 5.6 RB-13 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • The processing and sharing of information in business and service processes is supported by data-processing IT systems and related IT processes. The scope and quality thereof shall be based, in particular, on the institution's internal operating needs, business activities and risk situation (see AT … (II.3.8, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
  • The IT systems used are assessed regarding the necessity of logging. (5.2.4 Requirements (must) Bullet 3, Information Security Assessment, Version 5.1)
  • The organization must implement a suitable monitoring and reporting system. (¶ II.1.3, The Dutch corporate governance code, Principles of good corporate governance and best practice provisions, 9 December 2003)
  • (¶ 21, ¶ 22, ¶ 27, Turnbull Guidance on Internal Control, UK FRC, October 2005)
  • The purpose of the monitoring and event management practice is to systematically observe services and service components, and record and report selected changes of state identified as events. This practice identifies and prioritizes infrastructure, services, business processes, and information secur… (5.2.7 ¶ 1, ITIL Foundation, 4 Edition)
  • The organization should implement an effective monitoring process. Monitoring should occur on a regular basis. (¶ 26, Principle 5, BIS Sound Practices for the Management and Supervision of Operational Risk)
  • The OECD Risk Checklist calls for identification, monitoring, measuring, and control of electronic security risks. (§ I.14, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Does the organization conduct 24x7 monitoring and intrusion detection as a part of the cyber intelligence gathering? (Table Row III.5, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Does the organization keep logs of any honeypot activity? (Table Row VII.24, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Logs are a valuable resource when tracking security incidents. Logging should be enabled on all systems. By default, the logs are located in /var/log. The following line should be added to the /etc/syslog.conf file: @your.log.host (your.log.host is the name of the log server) to enable the logging o… (§ 2.11, The Center for Internet Security Mac OS X Tiger Level I Security Benchmark, 1)
  • The Server Security report and the Server Settings report should be reviewed periodically to monitor the status of the servers. (§ 3.6, The Center for Internet Security Open Enterprise Server: NetWare (v1) Consensus Baseline Security Settings Benchmark, 1)
  • Logging and monitoring procedures should be implemented for each element of the processing stage. (¶ 21.12 Bullet 2, Good Practices For Computerized systems In Regulated GXP Environments)
  • The organization should consider having the system create a complete record (an audit trail) of all entries and corrections. (¶ 10, PE 009-8, Guide to Good Manufacturing Practice for Medicinal Products, Annex 11, 15 January 2009)
  • Test and monitor the IT security implementation in a proactive way. IT security should be reaccredited in a timely manner to ensure that the approved enterprise's information security baseline is maintained. A logging and monitoring function will enable the early prevention and/or detection and subs… (DS5.5 Security Testing, Surveillance and Monitoring, CobiT, Version 4.1)
  • Establish a general monitoring framework and approach to define the scope, methodology and process to be followed for measuring IT's solution and service delivery, and monitor IT's contribution to the business. Integrate the framework with the corporate performance management system. (ME1.1 Monitoring Approach, CobiT, Version 4.1)
  • Define and implement procedures to monitor the IT infrastructure and related events. Ensure that sufficient chronological information is being stored in operations logs to enable the reconstruction, review and examination of the time sequences of operations and the other activities surrounding or su… (DS13.3 IT Infrastructure Monitoring, CobiT, Version 4.1)
  • Embedded devices shall provide active monitoring of the device's diagnostic and test interface(s) and generate an audit log entry when attempts to access these interface(s) are detected. (13.3.3 (1) ¶ 1, IEC 62443-4-2: Security for industrial automation and control systems – Part 4-2: Technical security requirements for IACS components, Edition 1.0)
  • How is physical media inventoried, secured, monitored, and tracked? (Appendix D, Implement Strong Access Control Measures Bullet 16, Information Supplement: PCI DSS Cloud Computing Guidelines, Version 2.0)
  • Ensure logging and audit trails are enabled and unique to each entity's cardholder data environment. (§ A.1.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Implement audit trails to link all access to system components to each individual user. (10.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Implement audit trails to link all access to system components to each individual user. (10.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Implement audit trails to link all access to system components to each individual user. (10.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Are audit trails enabled and active for system components? (10.1, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
  • Track and monitor all access to network resources and cardholder data (Requirement 10:, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Verify, through observation and interviewing the system administrator, that: - Audit trails are enabled and active for system components. - Access to system components is linked to individual users. (10.1, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • § 4.3.1.A Use a centrally controlled wireless Intrusion Detection System/Intrusion Prevention System (IDS/IPS) to monitor for unauthorized access and detect rogues and misconfigured wireless devices. § 4.3.1.F Add processes and policies that will regularly read and act on the data provided by the … (§ 4.3.1.A, § 4.3.1.F, Payment Card Industry (PCI) Information Supplement: PCI DSS Wireless Guideline)
  • Payment activities must have an automated audit trail for tracking and monitoring access to the application. (§ 4.2, Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1)
  • Are security policies and operational procedures for monitoring all access to network resources and cardholder data documented, in use, and known to all affected parties? (PCI DSS Question 10.8, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Are security policies and operational procedures for monitoring all access to network resources and cardholder data documented, in use, and known to all affected parties? (PCI DSS Question 10.8, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • § 4 (Continuous Monitoring) ¶ 1, § 4 (Continuous Auditing) ¶ 3 Continuous monitoring is a process for ensuring the policies, procedures, and business processes are operating effectively and includes the following principles: defining the control points; identifying the control objectives and ass… (§ 4 (Continuous Monitoring) ¶ 1, § 4 (Continuous Auditing) ¶ 3, § 5 ¶ 3, § 6 (Manage and Report Results) ¶ 1, IIA Global Technology Audit Guide (GTAG) 3: Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment)
  • Security risks should be managed effectively. One type of security risk that should be addressed is logical access controls to applications. Key logical access control considerations include auditing the processes and technology used for preventing unauthorized access to client records. (§ 5.2 (Logical Access), IIA Global Technology Audit Guide (GTAG) 7: Information Technology Outsourcing)
  • Entitlement repositories track privileges that are granted to users and records all access requests, approvals, start dates and end dates, and details about specific access. The stored data can be used for performing user entitlement reviews, auditing access, and determining if access activities wer… (§ 3.4.5 ¶ 1, IIA Global Technology Audit Guide (GTAG) 9: Identity and Access Management)
  • There should be documented standards / procedures for instant messaging services (i.e., the application and supporting infrastructure) which includes details of any monitoring activities to be performed. (CF.15.02.02d, The Standard of Good Practice for Information Security)
  • Reliable security event logs should be established (e.g., to store messages about system crashes, unsuccessful log-in of authorised users, and unsuccessful changes to access privileges), which are supported by documented standards / procedures. (CF.10.04.01, The Standard of Good Practice for Information Security)
  • Security event log management should include setting policy. (CF.10.04.03-1, The Standard of Good Practice for Information Security)
  • Security event logging should be performed on systems that have experienced a major information security incident. (CF.10.04.04b, The Standard of Good Practice for Information Security)
  • The performance of business applications, Information Systems, and networks should be monitored using automated monitoring software. (CF.10.05.01c, The Standard of Good Practice for Information Security)
  • Computer, network, and telecommunications equipment (including network routers and switches, and in-house telephone exchanges) should have a control and monitoring facility capable of providing management reports. (CF.07.01.04c, The Standard of Good Practice for Information Security)
  • Servers should be subject to standard security management practices, which includes monitoring them (e.g., using Simple Network Management Protocol) so that events such as hardware failure and attacks against them can be detected and responded to effectively. (CF.07.02.06e, The Standard of Good Practice for Information Security)
  • There shall be documented standards / procedures for the provision and use of e-mail, which includes details of any monitoring activities to be performed. (CF.15.01.02g, The Standard of Good Practice for Information Security)
  • The activities of individuals running business applications, Information Systems, or networks should be monitored (e.g., by providing supervision, recording activities, and maintaining audit trails). (CF.02.05.08, The Standard of Good Practice for Information Security)
  • The Digital Rights Management system should protect sensitive information by recording any changes that take place in case a future investigation is required. (CF.08.08.04d, The Standard of Good Practice for Information Security)
  • Information Systems and networks accessible by external connections should log activity (e.g., to help track individual transactions and enforce accountability). (CF.09.03.03d, The Standard of Good Practice for Information Security)
  • Web proxy servers (sometimes referred to as Internet gateways or web gateways) should be deployed and configured to record details about web content being accessed by portable devices (e.g., in the event the information is required during an investigation). (CF.14.03.08d, The Standard of Good Practice for Information Security)
  • Critical business applications and underlying technical infrastructure should be protected against targeted attacks that may disrupt business processes by increasing monitoring activity for critical business applications to help prevent, detect, or delay disruptive activity when it occurs (e.g., Den… (CF.20.03.10c, The Standard of Good Practice for Information Security)
  • There should be documented standards / procedures for instant messaging services (i.e., the application and supporting infrastructure) which includes details of any monitoring activities to be performed. (CF.15.02.02d, The Standard of Good Practice for Information Security, 2013)
  • Reliable security event logs should be established (e.g., to store messages about system crashes, unsuccessful log-in of authorised users, and unsuccessful changes to access privileges), which are supported by documented standards / procedures. (CF.10.04.01, The Standard of Good Practice for Information Security, 2013)
  • Security event log management should include setting policy. (CF.10.04.03-1, The Standard of Good Practice for Information Security, 2013)
  • Security event logging should be performed on systems that have experienced a major information security incident. (CF.10.04.04b, The Standard of Good Practice for Information Security, 2013)
  • The performance of business applications, Information Systems, and networks should be monitored using automated monitoring software. (CF.10.05.01c, The Standard of Good Practice for Information Security, 2013)
  • Computer, network, and telecommunications equipment (including network routers and switches, and in-house telephone exchanges) should have a control and monitoring facility capable of providing management reports. (CF.07.01.04c, The Standard of Good Practice for Information Security, 2013)
  • There shall be documented standards / procedures for the provision and use of e-mail, which includes details of any monitoring activities to be performed. (CF.15.01.02g, The Standard of Good Practice for Information Security, 2013)
  • The activities of individuals running business applications, Information Systems, or networks should be monitored (e.g., by providing supervision, recording activities, and maintaining audit trails). (CF.02.05.08, The Standard of Good Practice for Information Security, 2013)
  • The Digital Rights Management system should protect sensitive information by recording any changes that take place in case a future investigation is required. (CF.08.08.04d, The Standard of Good Practice for Information Security, 2013)
  • Information Systems and networks accessible by external connections should log activity (e.g., to help track individual transactions and enforce accountability). (CF.09.03.03d, The Standard of Good Practice for Information Security, 2013)
  • Web proxy servers (sometimes referred to as Internet gateways or web gateways) should be deployed and configured to record details about web content being accessed by portable devices (e.g., in the event the information is required during an investigation). (CF.14.03.08d, The Standard of Good Practice for Information Security, 2013)
  • Critical business applications and underlying technical infrastructure should be protected against targeted attacks that may disrupt business processes by increasing monitoring activity for critical business applications to help prevent, detect, or delay disruptive activity when it occurs (e.g., Den… (CF.20.03.10c, The Standard of Good Practice for Information Security, 2013)
  • Servers should be subject to standard security management practices, which includes monitoring them (e.g., using Simple Network Management Protocol) so that events such as hardware failure and attacks against them can be detected and responded to effectively. (CF.07.02.09e, The Standard of Good Practice for Information Security, 2013)
  • The organization should establish and maintain an account monitoring and control program. (Critical Control 16, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The organization should monitor the use of all accounts on a regular basis. (Critical Control 16.5, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for logging and monitoring. Review and update the policies and procedures at least annually. (LOG-01, Cloud Controls Matrix, v4.0)
  • A program for the systematic monitoring and evaluation to ensure that standards of quality are being met shall be established for all software developed by the organization. (RM-03, The Cloud Security Alliance Controls Matrix, Version 1.3)
  • A program for the systematic monitoring and evaluation to ensure that standards of quality are being met shall be established for all out sourced software development. (RM-04, The Cloud Security Alliance Controls Matrix, Version 1.3)
  • The Risk Management plan shall include the monitoring requirements. (§ 4.3.5 ¶ 1(c), Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
  • Monitoring requirements shall be a part of the medical Information Technology network Risk Management plan. (§ 4.6.1 ¶ 2, Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
  • Maintenance. The majority of safeguards will require maintenance and administrative support to ensure their correct and appropriate functioning during their life. These activities (maintenance and administration) should be planned and performed on a regular scheduled basis. In this manner their over… (¶ 11.1, ISO 13335-3 Information technology - Guidelines for the management of IT Security - Part 3: Techniques for the management of IT Security, 1998)
  • The organization shall capture organizational access information. (§ 6.2.4.3(d)(3), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • Service providers should ensure equipment and physical facilities are continuously monitored for availability. Outsourced service providers should ensure procedures have been implemented to monitor and log all logical access to computer systems on a 24x7 basis. (§ 6.14.10, § 7.5.6, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
  • Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly reviewed. (A.12.4.1 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • Appropriate logging and monitoring of the network should be enabled to record all security-relevant events. The audit logs should be kept for a predetermined amount of time. The audit logs should include user IDs; date, time, and detail of the event; terminal identity or location; changes to system … (§ 10.6.1, § 10.10.1, § 10.10.2, ISO 27002 Code of practice for information security management, 2005)
  • The organization shall establish, implement and maintain a process(es) for monitoring, measurement, analysis and performance evaluation. (§ 9.1.1 ¶ 1, ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • the methods for monitoring, measurement, analysis and performance evaluation, as applicable, to ensure valid results; (§ 9.1.1 ¶ 2 b), ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • The organization shall monitor and review information about these external and internal issues (4.1 ¶ 2, ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • the availability and use of suitable monitoring and measuring resources; (8.5.1 ¶ 2(b), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • The organization shall ensure that its monitoring and measurement enables it to meet the requirements of 4.2. (Section 9.1 ¶ 5, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • when the results from monitoring and measurement shall be analysed and evaluated. (Section 9.1 ¶ 1(d), ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • Event logs recording user activities, exceptions, faults and information security events should be produced, kept and regularly reviewed. (§ 12.4.1 Control, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • necessary improvements of monitoring and measurement activities. (§ 9.3 Guidance ¶ 6(l), ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • Develop and implement an organization-wide strategy for continuously monitoring control effectiveness. (TASK P-7, Risk Management Framework for Information Systems and Organizations, A System Life Cycle Approach for Security and Privacy, NIST SP 800-37, Revision 2)
  • Begin establishing metrics and monitoring and evaluation systems to assess the effectiveness and impact of planned measures (Pillar 1 Step 1 Action 4, COVID-19 Strategic Preparedness and Response Plan, OPERATIONAL PLANNING GUIDELINES TO SUPPORT COUNTRY PREPAREDNESS AND RESPONSE, Draft as of 12 February 2020)
  • The information system and assets are monitored at discrete intervals to identify cybersecurity events and verify the effectiveness of protective measures. (Security Continuous Monitoring (DE.CM), CRI Profile, v1.2)
  • The organization implements systematic and real-time logging, monitoring, detecting, and alerting measures across multiple layers of the organization's infrastructure (covering physical perimeters, network, operating systems, applications and data). (DE.CM-1.2, CRI Profile, v1.2)
  • The organization establishes a systematic and comprehensive program to periodically evaluate and improve the monitoring and detection processes and controls, as well as incorporate the lessons learned, as the threat landscape evolves. (DE.DP-5.1, CRI Profile, v1.2)
  • Audit/log records are determined, documented, implemented, and reviewed in accordance with policy. (PR.PT-1, CRI Profile, v1.2)
  • The organization implements systematic and real-time logging, monitoring, detecting, and alerting measures across multiple layers of the organization's infrastructure (covering physical perimeters, network, operating systems, applications and data). (DE.CM-1.2, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The organization establishes a systematic and comprehensive program to periodically evaluate and improve the monitoring and detection processes and controls, as well as incorporate the lessons learned, as the threat landscape evolves. (DE.DP-5.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring; (CA-7b., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring; (CA-7b., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring; (CA-7b., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring; (CA-7b., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • controls over data loss prevention, access provisioning and deprovisioning, user identification and authentication, data destruction, system event monitoring and detection, and backup procedures (¶ 3.59 Bullet 9 Sub-Bullet 3, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Often the service organization's system of internal control includes monitoring activities and system reports for management that permit management to continuously or periodically monitor the operating effectiveness of controls. Management may also make use of internal audit evaluations as part of i… (¶ 2.119, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Management's basis for its assertion usually relies heavily on monitoring of controls. Such monitoring activities typically include ongoing activities, separate evaluations, or a combination of the two. Ongoing monitoring activities are ordinarily built into the normal recurring activities of the se… (¶ 2.52, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • § 314.97 The auditor should examine the tools the organization uses to monitor internal controls over financial reporting. § 314.98, § 314.99 The organization should maintain monitoring on an ongoing basis, including ensuring the controls are functioning as intended and modified when there are ch… (§ 314.97, § 314.98, § 314.99, SAS No. 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement)
  • Management's basis for its assertion usually relies heavily on monitoring of controls. Such monitoring activities typically include ongoing activities, separate evaluations, or a combination of the two. Ongoing monitoring activities are ordinarily built into the normal recurring activities of the se… (¶ 2.60, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Service organization management generally documents the performance of monitoring activities, which permits the service auditor to inspect the documentation as part of obtaining an understanding of the effectiveness of controls within the system. (¶ 2.121, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Reading policy and procedure manuals, system documentation, flowcharts, narratives, asset management records, and other system documentation to understand IT policies and procedures and controls over data loss prevention, access provisioning and deprovisioning, user identification and authentication… (¶ 3.50 Bullet 4, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The organization must implement and monitor the status of event and activity logging controls. (§ 15.e, Corporate Information Security Working Group: Report of the best practices and metrics teams; subcommittee on technology, information policy, intergovernmental relations and the census; Government Reform Committee, United States House of Representatives)
  • When windows Internet Information Services is used for web services, is logging configured to support incident investigation? (§ G.21.2.6, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • When Apache is used for web services, is logging configured to support incident investigation? (§ G.21.3.1, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • CSR 1.4.1(2): As part of the personnel security program, the organization must maintain a record of access authorizations. CSR 2.1: The organization shall maintain audit trails and logs. CSR 3.1.4: The organization must monitor and review systems programmers' activities. (CSR 1.4.1(2), CSR 2.1, CSR 3.1.4, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Establish an audit log for MFD and print spoolers. Audit log to contain user, key operator and administrator codes and passwords, and enabled features and services. Any deviation from the baseline should be treated as a potential security incident. Ensure operational security controls are in place t… (MFD06.006, Multi-Function Device (MFD) and Printer Checklist for Sharing Peripherals Across the Network Security Technical Implementation Guide, Version 1 Release 1.3)
  • Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. (AU.L2-3.3.1 System Auditing, Cybersecurity Maturity Model Certification, Version 2.0, Level 2)
  • The online monitoring and audit trail creation capability must have a user-configurable capability that automatically disables the system when a serious Information Assurance violation is detected. (ECAT-2, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • The system must have auditing or other technical measures implemented to ensure the network device controls are not compromised. (ECND-2, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • Software, hardware, and/or procedural mechanisms shall be implemented to record and examine information systems activity on systems that use or contain electronic protected health information. (§ 164.312(b), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • Logging practices are independently reviewed periodically to ensure appropriate log management (e.g., access controls, retention, and maintenance). (Domain 1: Assessment Factor: Risk Management, AUDIT Baseline 3 ¶ 3, FFIEC Cybersecurity Assessment Tool, Baseline, May 2017)
  • Determine whether management implements processes to monitor IT operations and periodically reports on the effectiveness of established controls to senior management and other stakeholders. Evaluate the following: (App A Objective 17:1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Monitoring of network, host, and application activity. (App A Objective 8.1.h, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Logs access and events, defines alerts for significant events, and develops processes to monitor and respond to anomalies and alerts. (App A Objective 6.22.f, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Financial institution management should implement effective control and risk transfer practices as part of its overall IT risk mitigation strategy. These practices should include the following: - Establishing, implementing, and enforcing IT policies, standards, and procedures. - Documenting policies… (III.C Risk Mitigation, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • System use and planning reports prepared by operating managers. (App A Objective 3:5 c., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • A risk monitoring and reporting process to monitor changing risk levels and report the results of the process to the board and senior management. (App A Objective 9:2 d., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • The process and results are effective. (App A Objective 3:6 b., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Transaction files are maintained for all operating and application system messages,including commands entered by users and operators at terminals, or at PCs; (TIER II OBJECTIVES AND PROCEDURES D.1. Bullet 6, FFIEC IT Examination Handbook - Audit, April 2012)
  • Activity reporting, monitoring, and reconcilement are conducted daily, or more frequently based upon activity; (TIER II OBJECTIVES AND PROCEDURES E.1. Bullet 6, FFIEC IT Examination Handbook - Audit, April 2012)
  • Determine whether the board has established an on-going, process-oriented approach to business continuity planning that is appropriate for the size and complexity of the organization. This process should include a business impact analysis (BIA), a risk assessment, risk management, and risk monitorin… (Exam Tier I Obj 2.1, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • (Obj 2.4, FFIEC IT Examination Handbook - E-Banking, August 2003)
  • Senior management should oversee and monitor all internal controls. (Pg 26, FFIEC IT Examination Handbook - Management)
  • Obtain and review the financial institution's policies and procedures for RDC. Assess whether they define the function, responsibilities, operational controls, vendor management, customer due diligence, BSA/AML compliance monitoring, and reporting functions, etc. Identify the date they were last rev… (App A Tier 2 Objectives and Procedures N.9 Bullet 1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Operational risk mitigation: Review whether management controls include the following: risk management; transaction monitoring and geolocation tools; fraud prevention, detection, and response programs; additional controls (e.g., stronger authentication and encryption); authentication and authorizati… (AppE.7 Objective 5:4 b., FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • The hardware and software should be configured to support effective monitoring. Applications should have the capability to produce audit trails in enough detail to allow analysis and/or investigation of specific transactions. (Pg 20, Exam Tier II Obj 12.1, FFIEC IT Examination Handbook - Wholesale Payment Systems, July 2004)
  • Calls for the construction of efficient tests, taking into consideration the nature, timing, and extent of the tests to be performed. (§ 260.48, GAO/PCIE Financial Audit Manual (FAM))
  • Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring; (CA-7b. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring; (CA-7b. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring; (CA-7b. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness; (CA-7b., FedRAMP Security Controls High Baseline, Version 5)
  • Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness; (CA-7b., FedRAMP Security Controls Low Baseline, Version 5)
  • Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness; (CA-7b., FedRAMP Security Controls Moderate Baseline, Version 5)
  • The organization must develop, document, distribute, and continuously update an audit and accountability policy and procedures for implementing auditing security controls. (§ 5.6.2, Exhibit 4 AU-1, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Does the system track employee Internet usage and Internet traffic? (IT - General Q 28, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Does the written website operating policy include website monitoring requirements? (IT - Web Site Review Q 1d, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • § 4.15.1 Bullet 1: Implement the appropriate audit controls for information systems that contain or use ePHI based on the covered entity's risk assessment and other organizational factors. § 4.15.2 Bullet 1: Evaluate the monitoring capabilities of existing systems and determine if any changes or u… (§ 4.15.1 Bullet 1, § 4.15.2 Bullet 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
  • Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness; (CA-7b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness; (CA-7b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness; (CA-7b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness; (CA-7b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Are developed and maintained; and (PM-14a.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. (PM-14b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include: (PM-31 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Provide and implement the capability for [Assignment: organization-defined users or roles] to [Selection (one or more): record; view; hear; log] the content of a user session under [Assignment: organization-defined circumstances]; and (AU-14a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Develop, integrate, and use session auditing activities in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. (AU-14b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Are developed and maintained; and (PM-14a.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. (PM-14b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include: (PM-31 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Are developed and maintained; and (PM-14a.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Provide and implement the capability for [Assignment: organization-defined users or roles] to [Selection (one or more): record; view; hear; log] the content of a user session under [Assignment: organization-defined circumstances]; and (AU-14a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. (PM-14b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include: (PM-31 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Develop, integrate, and use session auditing activities in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. (AU-14b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Provide and implement the capability for [Assignment: organization-defined users or roles] to [Selection (one or more): record; view; hear; log] the content of a user session under [Assignment: organization-defined circumstances]; and (AU-14a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include: (PM-31 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Develop, integrate, and use session auditing activities in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. (AU-14b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • The organization should develop wireless security audit procedures and processes that should include the types of security events to capture and how to store the audit records. (Table 8-2 Item 17, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST SP 800-97, February 2007)
  • The standard security label (SSL) implementation shall provide the ability to log all security relevant events and indicate the occurrence of security events. (§ 5 ¶ 2, FIPS Pub 188, Standard Security Label for Information Transfer)
  • The logging should be extensive enough that a detected event will be able to be traced throughout the system. (§ 2.2.6 ¶ 1, FIPS Pub 191, Guideline for the Analysis of Local Area Network (LAN) Security)
  • Calls for Audit and Accountability (AU): Organizations must: (i) create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity; and (ii) ensure… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • Audit/log records are determined, documented, implemented, and reviewed in accordance with policy (PR.PT-1, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
  • Audit/log records are determined, documented, implemented, and reviewed in accordance with policy (PR.PT-1, Framework for Improving Critical Infrastructure Cybersecurity, v1.1 (Draft))
  • The information system and assets are monitored at discrete intervals to identify cybersecurity events and verify the effectiveness of protective measures. (DE.CM Security Continuous Monitoring, Framework for Improving Critical Infrastructure Cybersecurity, v1.1 (Draft))
  • Audit/log records are determined, documented, implemented, and reviewed in accordance with policy. (PR.PT-1, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0)
  • Organizational records, documents, and the system configuration should be examined to ensure audit records are being generated for all defined events, audit records are generated continuously, and specific responsibilities and actions are defined for the implementation of the auditable events contro… (AU-2, AU-2.2, CM-5(1), CM-5.8, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • An organization should define its requirements and goals for performing logging and then monitoring logs. (§ 4.2, Guide to Computer Security Log Management, NIST SP 800-92)
  • Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring; (CA-7b. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring; (CA-7b. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring; (CA-7b. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Reviews testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. (PM-14b., Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Are developed and maintained; and (PM-14a.1., Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • System auditing utilities should be incorporated into new and existing ICS projects. These auditing utilities should be tested (e.g., off-line on a comparable ICS) before being deployed on an operational ICS. These tools can provide tangible records of evidence and system integrity. Additionally, ac… (§ 6.2.3 ICS-specific Recommendations and Guidance ¶ 6, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Gather information about networks through traditional and alternative techniques, (e.g., social network analysis, call-chaining, traffic analysis.) (T0706, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Develop and facilitate data-gathering methods. (T0361, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Ensure that continuous monitoring tools and technologies access control is managed adequately. (T0994, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Use non-automated assessment methods where the data from the continuous monitoring tools and technologies is not yet of adequate sufficiency or quality. (T0989, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Establish continuous monitoring configuration settings issues and coordination sub-group. (T1000, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Identify reporting requirements to support continuous monitoring activities. (T0969, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Sponsor and promote continuous monitoring within the organization. (T0967, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Audit/log records are determined, documented, implemented, and reviewed in accordance with policy and incorporating the principle of data minimization. (CT.DM-P8, NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • The organization must establish a continuous monitoring strategy and program, including conducting ongoing security requirements assessments. (SG.CA-6 Requirement 1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must coordinate the security audit function with other entities that require audit information to enhance mutual support and help select auditable events. (App F § AU-2.b, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Gather information about networks through traditional and alternative techniques, (e.g., social network analysis, call-chaining, traffic analysis.) (T0706, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Ensure that continuous monitoring tools and technologies access control is managed adequately. (T0994, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Use non-automated assessment methods where the data from the continuous monitoring tools and technologies is not yet of adequate sufficiency or quality. (T0989, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Use the continuous monitoring data to make information security investment decisions to address persistent issues. (T0983, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Use continuous monitoring tools to assess risk on an ongoing basis. (T1004, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Identify reporting requirements to support continuous monitoring activities. (T0969, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Sponsor and promote continuous monitoring within the organization. (T0967, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Develop and facilitate data-gathering methods. (T0361, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring; (CA-7b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring; (CA-7b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring; (CA-7b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring; (CA-7b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Are developed and maintained; and (PM-14a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Reviews testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. (PM-14b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Are developed and maintained; and (PM-14a.1., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Provide and implement the capability for [Assignment: organization-defined users or roles] to [Selection (one or more): record; view; hear; log] the content of a user session under [Assignment: organization-defined circumstances]; and (AU-14a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness; (CA-7b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. (PM-14b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include: (PM-31 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Develop, integrate, and use session auditing activities in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. (AU-14b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Are developed and maintained; and (PM-14a.1., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Provide and implement the capability for [Assignment: organization-defined users or roles] to [Selection (one or more): record; view; hear; log] the content of a user session under [Assignment: organization-defined circumstances]; and (AU-14a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness; (CA-7b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. (PM-14b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include: (PM-31 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Develop, integrate, and use session auditing activities in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. (AU-14b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Conduct Continuous Monitoring: The ultimate objective of continuous monitoring is to determine if the security controls in the information system continue to be effective over time in light of the inevitable changes that occur in the system as well as the environment in which the system operates. (§ 3.4.3.3, Security Considerations in the Information System Development Life Cycle, NIST SP 800-64, Revision 2)
  • Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring; (CA-7c., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • The comprehensive information security program must include monitoring of the program on a regular basis to ensure its operation will prevent unauthorized use of or access to personal information. Anyone who stores, licenses, owns, or maintains personal information about a Massachusetts resident and… (§ 17.03(3)10, § 17.04(4), Massachusetts 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth of Massachusetts)
  • The cybersecurity program for each Covered Entity shall include monitoring and testing, developed in accordance with the Covered Entity's Risk Assessment, designed to assess the effectiveness of the Covered Entity's cybersecurity program. The monitoring and testing shall include continuous monitorin… (§ 500.05 Penetration Testing and Vulnerability Assessments, New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies)
  • Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring; (CA-7b., TX-RAMP Security Controls Baseline Level 1)
  • Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring; (CA-7b., TX-RAMP Security Controls Baseline Level 2)