Back

Include responding to alerts from security monitoring systems in the incident response procedures.


CONTROL ID
11949
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain incident response procedures., CC ID: 01206

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The emergency call systems intended to inform the business room, control center, and other related divisions of any emergency situation having occurred in the ATM room of branch offices should be installed in a conspicuous place for the customers near the automatic device and identified with a sign … (F112.1., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • The FI should configure system events or alerts to provide an early indication of issues that may affect its IT systems' performance and security. System events or alerts should be actively monitored so that prompt measures can be taken to address the issues early. (§ 7.7.4, Technology Risk Management Guidelines, January 2021)
  • The detection mechanisms referred to in paragraph 1 shall enable multiple layers of control, define alert thresholds and criteria to trigger and initiate ICT-related incident response processes, including automatic alert mechanisms for relevant staff in charge of ICT-related incident response. (Art. 10.2., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • Include alerts from security monitoring systems, including but not limited to intrusion-detection, intrusion-prevention, firewalls, and file-integrity monitoring systems. (12.10.5, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Include alerts from security monitoring systems, including but not limited to intrusion-detection, intrusion-prevention, firewalls, and file-integrity monitoring systems. (12.10.5, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Procedures for the timely investigation of alerts by responsible personnel (A3.2.6.1 Bullet 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Include alerts from security monitoring systems, including but not limited to intrusion-detection, intrusion-prevention, firewalls, and file-integrity monitoring systems. (12.10.5, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Are alerts from security monitoring systems included in the incident response plan? (12.10.5, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Are alerts from security monitoring systems included in the incident response plan? (12.10.5, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Are alerts from security monitoring systems included in the incident response plan? (12.10.5, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Are alerts from security monitoring systems included in the incident response plan? (12.10.5, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Verify through observation and review of processes that monitoring and responding to alerts from security monitoring systems are covered in the incident response plan. (12.10.5, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • The security incident response plan includes monitoring and responding to alerts from security monitoring systems, including but not limited to: (12.10.5, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • The change-and tamper-detection mechanism for payment pages. This bullet is a best practice until its effective date; refer to Applicability Notes below for details. (12.10.5 Bullet 4, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Examine documentation and observe incident response processes to verify that monitoring and responding to alerts from security monitoring systems are covered in the security incident response plan, including but not limited to the systems specified in this requirement. (12.10.5, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • The security incident response plan includes monitoring and responding to alerts from security monitoring systems, including but not limited to: (12.10.5, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • The change-and tamper-detection mechanism for payment pages. This bullet is a best practice until its effective date; refer to Applicability Notes below for details. (12.10.5 Bullet 4, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • The security incident response plan includes monitoring and responding to alerts from security monitoring systems, including but not limited to: (12.10.5, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • The change-and tamper-detection mechanism for payment pages. This bullet is a best practice until its effective date; refer to Applicability Notes below for details. (12.10.5 Bullet 4, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • be flexible to respond to unanticipated threats and changing internal and external conditions, (§ 8.4.1 ¶ 3 c), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • The organization establishes and documents cyber event alert parameters and thresholds as well as rule-based triggers for an automated response within established parameters when known attack patterns, signatures or behaviors are detected. (DE.AE-5.1, CRI Profile, v1.2)
  • The organization establishes and documents cyber event alert parameters and thresholds as well as rule-based triggers for an automated response within established parameters when known attack patterns, signatures or behaviors are detected. (DE.AE-5.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Document the types of actions to be taken in response to security alerts/advisories. (§ 5.10.4.4 ¶ 1(3), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Document the types of actions to be taken in response to security alerts/advisories. (§ 5.10.4.4 ¶ 1 3., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Mechanisms (e.g., antivirus alerts, log event alerts) are in place to alert management to potential attacks. (Domain 3: Assessment Factor: Detective Controls, EVENT DETECTION Baseline 3 ¶ 2, FFIEC Cybersecurity Assessment Tool, Baseline, May 2017)
  • Post-deployment AI system monitoring plans are implemented, including mechanisms for capturing and evaluating input from users and other relevant AI actors, appeal and override, decommissioning, incident response, recovery, and change management. (MANAGE 4.1, Artificial Intelligence Risk Management Framework, NIST AI 100-1)
  • Detecting, preventing, and responding to attacks, intrusions, or other systems failures. (Section 3965.02 (C)(4)(c), Ohio Revised Code, Title 39, Chapter 3965, Sections 1-11, Cybersecurity Requirements For Insurance Companies)