Back

Configure the Intrusion Detection System and Intrusion Prevention System in accordance with organizational standards.


CONTROL ID
04831
CONTROL TYPE
Configuration
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain system hardening procedures., CC ID: 12001

This Control has the following implementation support Control(s):
  • Enable historical logging on the Intrusion Detection System and Intrusion Prevention System., CC ID: 04836
  • Configure the Intrusion Detection System and the Intrusion Prevention System to detect rogue devices and unauthorized connections., CC ID: 04837
  • Configure the Intrusion Detection System and the Intrusion Prevention System to alert upon finding rogue devices and unauthorized connections., CC ID: 07062


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Intrusion Detection and Prevention System (IDS and IPS) - IPS products that have detection capabilities should be fully used during an incident to limit any further impact on the organization. IDS and IPS products are often the primary source of information leading to the identification of an attack… (Critical components of information security 17) xvi.b., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Are Intrusion Detection Systems appropriately configured for system anomalies, file and data problems, and aberrant usage? (Table Row VII.5, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Is the Intrusion Detection System set up in a redundant and/or load sharing fashion? (Table Row VII.17, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Examine Intrusion Detection System and Intrusion Prevention System configurations and confirm these devices are configured, maintained, and updated per vendor instructions to ensure optimal protection. (§ 11.4.c, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
  • Examine IDS/IPS configurations and confirm IDS/IPS devices are configured, maintained, and updated per vendor instructions to ensure optimal protection. (§ 11.4.c Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Examine system configurations and vendor documentation to verify intrusion-detection and/or intrusion-prevention techniques are configured to keep all engines, baselines, and signatures up to date. (11.5.1.c, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Intrusion detection mechanisms should identify unplanned termination of processes or applications. (CF.10.06.03a, The Standard of Good Practice for Information Security)
  • Intrusion detection mechanisms should be configured to protect the Intrusion Detection Software against attack (e.g., by hiding the presence of Intrusion Detection Software). (CF.10.06.04c, The Standard of Good Practice for Information Security)
  • Intrusion detection mechanisms should identify unplanned termination of processes or applications. (CF.10.06.03a, The Standard of Good Practice for Information Security, 2013)
  • Intrusion detection mechanisms should be configured to protect the Intrusion Detection Software against attack (e.g., by hiding the presence of Intrusion Detection Software). (CF.10.06.04c, The Standard of Good Practice for Information Security, 2013)
  • Use intrusion detection signatures to block traffic at network boundaries. (M1031 Network Intrusion Prevention, MITRE ATT&CK®, Enterprise Mitigations, Version 13.1)
  • NAC solutions can be configured to work in conjunction with pre-existing security technologies to provide post-connect NAC. Alerts from systems (such as IDS) and vulnerability scanners can trigger the NAC system to revoke access previously granted to an endpoint or a user. (§ 3.1, DISA Secure Remote Computing Security Technical Implementation Guide, Version 2, Release 1)
  • The Information Assurance Officer or Network Intrusion Detection System administrator, for all monitored all medical device segments, will ensure an Network Intrusion Detection System is install and operating in promiscuous mode. (§ 4.5.3 (MED0310: CAT II), Medical Devices Security Technical Implementation Guide, Version 1, Release 1)
  • Make provisions so that [Assignment: organization-defined encrypted communications traffic] is visible to [Assignment: organization-defined system monitoring tools and mechanisms]. (SI-4(10) ¶ 1, FedRAMP Security Controls High Baseline, Version 5)
  • Can the Intrusion Detection System determine which policy level is running at all sensors, if it is deployed automatically? (IT - IDS IPS Q 23b, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Have Information Security tools been activated to record and report the security incidents defined in the information security policy? (IT - Security Program Q 23, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Make provisions so that [Assignment: organization-defined encrypted communications traffic] is visible to [Assignment: organization-defined system monitoring tools and mechanisms]. (SI-4(10) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • The biometric system SHOULD implement PAD. Testing of the biometric system to be deployed SHOULD demonstrate at least 90% resistance to presentation attacks for each relevant attack type (i.e., species), where resistance is defined as the number of thwarted presentation attacks divided by the number… (5.2.3 ¶ 7, Digital Identity Guidelines: Authentication and Lifecycle Management, NIST SP 800-63B)
  • The Information System should prevent non-privileged users from bypassing the intrusion detection and prevention mechanisms. (App F § SI-4(6), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should ensure encrypted traffic is visible to the system monitoring tools. (App F § SI-4(10), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization makes provisions so that {organizationally documented encrypted communications traffic} is visible to {organizationally documented information system monitoring tools}. (SI-4(10), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization makes provisions so that [Assignment: organization-defined encrypted communications traffic] is visible to [Assignment: organization-defined information system monitoring tools]. (SI-4(10) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Make provisions so that [Assignment: organization-defined encrypted communications traffic] is visible to [Assignment: organization-defined system monitoring tools and mechanisms]. (SI-4(10) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Make provisions so that [Assignment: organization-defined encrypted communications traffic] is visible to [Assignment: organization-defined system monitoring tools and mechanisms]. (SI-4(10) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)