Back

Establish, implement, and maintain a continuous monitoring program for configuration management.


CONTROL ID
06757
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain logging and monitoring operations., CC ID: 00637

This Control has the following implementation support Control(s):
  • Include the correlation and analysis of information obtained during testing in the continuous monitoring program., CC ID: 14250
  • Establish, implement, and maintain an automated configuration monitoring system., CC ID: 07058
  • Monitor for and report when a software configuration is updated., CC ID: 06746
  • Monitor and evaluate user account activity., CC ID: 07066


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • AIs should pay attention to the resilience of critical technology equipment and facilities such as the Uninterruptible Power Supply (“UPS”) and the cooling systems. Such equipment and facilities should be subject to continuous monitoring and periodic maintenance and testing. This would reduce th… (4.4.2, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
  • The network should be monitored on a continuous basis. This would reduce the likelihood of network traffic overload and detect network intrusions. Monitoring activities include: - monitoring network services and performance against pre-defined targets; - reviewing volumes of network traffic, utiliza… (6.1.4, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • environment and customer profiling; (¶ 66(b), APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • Financial entities, other than microenterprises, shall monitor relevant technological developments on a continuous basis, also with a view to understanding the possible impact of the deployment of such new technologies on ICT security requirements and digital operational resilience. They shall keep … (Art. 13.7., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • Information and records are required for the procedures for ongoing monitoring, including procedures that link the error reporting system and the deviation reports system with the change control procedures. (¶ 15.3 Bullet 3, Good Practices For Computerized systems In Regulated GXP Environments)
  • Ensure that the problem management system provides for adequate audit trail facilities that allow tracking, analysing and determining the root cause of all reported problems considering: - All associated configuration items - Outstanding problems and incidents - Known and suspected errors - Tracking… (DS10.2 Problem Tracking and Resolution, CobiT, Version 4.1)
  • Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to verify all security configuration elements, catalog approved exceptions, and alert when unauthorized changes occur. (CIS Control 5: Sub-Control 5.5 Implement Automated Configuration Monitoring Systems, CIS Controls, 7.1)
  • Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to verify all security configuration elements, catalog approved exceptions, and alert when unauthorized changes occur. (CIS Control 5: Sub-Control 5.5 Implement Automated Configuration Monitoring Systems, CIS Controls, V7)
  • At planned intervals, the organization shall verify the accuracy of the configuration information. Where deficiencies are found, the organization shall take necessary actions. (§ 8.2.6 ¶ 4, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • Configurations, including security configurations, of hardware, software, services and networks should be established, documented, implemented, monitored and reviewed. (§ 8.9 Control, ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls, Third Edition)
  • Processes are in place to detect changes to software and configuration parameters that may be indicative of unauthorized or malicious software. (CC6.8 ¶ 2 Bullet 2 Detects Unauthorized Changes to Software and Configuration Parameters, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • A process is in place to select, implement, maintain, and monitor configuration parameters used to control the functionality of developed and acquired software. (CC8.1 ¶ 3 Bullet 6 Configures Software, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Processes are in place to detect changes to software and configuration parameters that may be indicative of unauthorized or malicious software. (CC6.8 Detects Unauthorized Changes to Software and Configuration Parameters, Trust Services Criteria)
  • Processes are in place to detect changes to software and configuration parameters that may be indicative of unauthorized or malicious software. (CC6.8 ¶ 2 Bullet 2 Detects Unauthorized Changes to Software and Configuration Parameters, Trust Services Criteria, (includes March 2020 updates))
  • Regularly monitors for new or changed databases and reports on misconfigured or out-of-compliance databases. (App A Objective 3:6e, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • For information systems, the monitoring and testing shall include continuous monitoring or periodic penetration testing and vulnerability assessments. Absent effective continuous monitoring or other systems to detect, on an ongoing basis, changes in information systems that may create vulnerabilitie… (§ 314.4 ¶ 1(d)(2), 16 CFR Part 314, Standards for Safeguarding Customer Information, Final Rule, Amended February 15, 2022)
  • Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include: (PM-31 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Monitor enterprise information systems and environments of operation on an ongoing basis to verify compliance, determine the effectiveness of risk response measures, and identify changes. (Task 4-2, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include: (PM-31 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include: (PM-31 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include: (PM-31 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Evaluate factors such as reporting formats required, cost constraints, and need for security restrictions to determine hardware configuration. (T0100, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • The organization may ensure that portable devices and mobile devices are properly secured and regularly scanned to verify their security status, if they are allowed to Access Personally Identifiable Information. (§ 4.3 Bullet Access Control for Mobile Devices (AC-19), NIST SP 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII))
  • Organizations should automate compliance with container runtime configuration standards. Documented technical implementation guidance, such as the Center for Internet Security Docker Benchmark, provides details on options and recommended settings, but operationalizing this guidance depends on automa… (4.4.3 ¶ 1, NIST SP 800-190, Application Container Security Guide)
  • Monitor organizational information systems and environments of operation on an ongoing basis to verify compliance, determine effectiveness of risk response measures, and identify changes (Task 4-2, NIST SP 800-39, Managing Information Security Risk)
  • The organization must establish a continuous monitoring strategy and implement a continuous monitoring program that includes the Configuration Management process for the system and its components. (App F § CA-7.a, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must establish a continuous monitoring strategy and implement a continuous monitoring program that includes determining the security impact of changes to the system and the operational environment. (App F § CA-7.b, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must establish a continuous monitoring program which includes assessing security control effectiveness, ongoing incident event monitoring, implementing corrective actions, and reassessing security controls. (§ 3.4, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Common controls must meet the same continuous monitoring requirements as the system-specific security controls must meet. (§ 2.3 ¶ 6, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must monitor the Information System connections continuously to verify the enforcement of the security requirements. (App F § CA-3.c, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must establish a continuous monitoring strategy and implement a continuous monitoring program that includes ongoing security control assessments. (App F § CA-7.c, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Evaluate factors such as reporting formats required, cost constraints, and need for security restrictions to determine hardware configuration. (T0100, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Monitor changes to a system and its environment of operation. (T0960, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes establishment of {organizationally documented metrics} to be monitored. (CA-7a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes establishment of {organizationally documented frequencies} for monitoring and {organizationally documented frequencies} for assessments supporting such monitoring. (CA-7b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes ongoing security control assessments in accordance with the organizational continuous monitoring strategy. (CA-7c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy. (CA-7d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes correlation and analysis of security-related information generated by assessments and monitoring. (CA-7e., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes response actions to address results of the analysis of security-related information. (CA-7f., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes reporting the security status of organization and the information system to {organizationally documented personnel} {organizationally documented frequency}. (CA-7g., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes reporting the security status of organization and the information system to {organizationally documented roles} {organizationally documented frequency}. (CA-7g., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes establishment of {organizationally documented metrics} to be monitored. (CA-7a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes establishment of {organizationally documented frequencies} for monitoring and {organizationally documented frequencies} for assessments supporting such monitoring. (CA-7b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes ongoing security control assessments in accordance with the organizational continuous monitoring strategy. (CA-7c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy. (CA-7d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes correlation and analysis of security-related information generated by assessments and monitoring. (CA-7e., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes response actions to address results of the analysis of security-related information. (CA-7f., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes reporting the security status of organization and the information system to {organizationally documented personnel} {organizationally documented frequency}. (CA-7g., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes reporting the security status of organization and the information system to {organizationally documented roles} {organizationally documented frequency}. (CA-7g., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes establishment of {organizationally documented metrics} to be monitored. (CA-7a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes establishment of {organizationally documented frequencies} for monitoring and {organizationally documented frequencies} for assessments supporting such monitoring. (CA-7b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes ongoing security control assessments in accordance with the organizational continuous monitoring strategy. (CA-7c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy. (CA-7d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes correlation and analysis of security-related information generated by assessments and monitoring. (CA-7e., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes response actions to address results of the analysis of security-related information. (CA-7f., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes reporting the security status of organization and the information system to {organizationally documented personnel} {organizationally documented frequency}. (CA-7g., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes reporting the security status of organization and the information system to {organizationally documented roles} {organizationally documented frequency}. (CA-7g., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes establishment of {organizationally documented metrics} to be monitored. (CA-7a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes establishment of {organizationally documented frequencies} for monitoring and {organizationally documented frequencies} for assessments supporting such monitoring. (CA-7b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes ongoing security control assessments in accordance with the organizational continuous monitoring strategy. (CA-7c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy. (CA-7d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes correlation and analysis of security-related information generated by assessments and monitoring. (CA-7e., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes response actions to address results of the analysis of security-related information. (CA-7f., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes reporting the security status of organization and the information system to {organizationally documented personnel} {organizationally documented frequency}. (CA-7g., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes reporting the security status of organization and the information system to {organizationally documented roles} {organizationally documented frequency}. (CA-7g., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include: (PM-31 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include: (PM-31 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Monitor organizational information systems and environments of operation on an ongoing basis to verify compliance, determine effectiveness of risk response measures, and identify changes. (2.2.4 TASK 4-2:, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)