Back

Analyze and respond to security alerts.


CONTROL ID
12504
CONTROL TYPE
Business Processes
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an Incident Response program., CC ID: 00579

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • A bank needs to have robust monitoring processes in place to identify events and unusual activity patterns that could impact on the security of IT assets. The strength of the monitoring controls needs to be proportionate to the criticality of an IT asset. Alerts would need to be investigated in a ti… (Critical components of information security 17) i., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • A person who operates an information and communications network, including a provider of information and communications services, shall analyze causes of intrusion and keep damage from intrusion at bay, whenever an intrusion occurs. (Article 48-4(1), Act On Promotion of Information and Communications Network Utilization and Information Protection, Amended by Act No. 14080, Mar. 22, 2016)
  • The FI should rigorously control and regulate the environment within a DC. Monitoring of environmental conditions, such as temperature and humidity, within a DC is critical in ensuring uptime and system reliability. The FI should promptly escalate any abnormality detected to management and resolve t… (§ 10.3.2, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • Cyber security events are analysed in a timely manner to identify cyber security incidents. (D2:, Australian Government Information Security Manual, June 2023)
  • Cyber security events are analysed in a timely manner to identify cyber security incidents. (Control: ISM-1228; Revision: 3, Australian Government Information Security Manual, June 2023)
  • Cyber security events are analysed in a timely manner to identify cyber security incidents. (D2:, Australian Government Information Security Manual, September 2023)
  • Cyber security events are analysed in a timely manner to identify cyber security incidents. (Control: ISM-1228; Revision: 3, Australian Government Information Security Manual, September 2023)
  • identification and analysis to determine if it is an incident or an event; (73(b)., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • providing dynamic risk and incident analysis and situational awareness; (ANNEX I ¶ 1(2)(a)(iv), Directive (EU) 2016/1148 OF The European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union)
  • Financial entities shall monitor the effectiveness of the implementation of their digital operational resilience strategy set out in Article 6(8). They shall map the evolution of ICT risk over time, analyse the frequency, types, magnitude and evolution of ICT-related incidents, in particular cyber-a… (Art. 13.4., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • Reaction to information security events/vulnerabilities (1.6.1 Requirements (must) Bullet 3 Sub-Bullet 1, Information Security Assessment, Version 5.1)
  • An adequate reaction to information security events/vulnerabilities is given. (1.6.1 Requirements (must) Bullet 6, Information Security Assessment, Version 5.1)
  • Additional requirement for service providers only: Perform reviews at least quarterly to confirm personnel are following security policies and operational procedures. Reviews must cover the following processes: - Daily log reviews - Firewall rule-set reviews - Applying configuration standards to new… (12.11, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Response to alerts in accordance with documented response procedures (A3.5.1 Bullet 3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Perform reviews at least quarterly to confirm personnel are following security policies and operational procedures. Reviews must cover the following processes: - Daily log reviews - Firewall rule-set reviews - Applying configuration standards to new systems - Responding to security alerts - Change m… (12.11, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Do reviews cover the following processes: - Daily log reviews - Firewall rule-set reviews - Applying configuration standards to new systems - Responding to security alerts - Change management processes (12.11(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Examine policies and procedures to verify that processes are defined for reviewing and confirming that personnel are following security policies and operational procedures, and that reviews cover: - Daily log reviews - Firewall rule-set reviews - Applying configuration standards to new systems - Res… (12.11.a, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Configured to either block web-based attacks or generate an alert that is immediately investigated. (6.4.1 Bullet 2 Sub-Bullet 4, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Configured to either block web-based attacks or generate an alert that is immediately investigated. (6.4.2 Bullet 4, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Responding to security alerts. (12.4.2 Bullet 4, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Procedures for the prompt investigation of alerts by responsible personnel. (A3.2.6.1 Bullet 1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Configured to either block web-based attacks or generate an alert that is immediately investigated. (6.4.1 Bullet 2 Sub-Bullet 4, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Configured to either block web-based attacks or generate an alert that is immediately investigated. (6.4.2 Bullet 4, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Configured to either block web-based attacks or generate an alert that is immediately investigated. (6.4.1 Bullet 2 Sub-Bullet 4, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Configured to either block web-based attacks or generate an alert that is immediately investigated. (6.4.2 Bullet 4, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Configured to either block web-based attacks or generate an alert that is immediately investigated. (6.4.2 Bullet 4, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Configured to either block web-based attacks or generate an alert that is immediately investigated. (6.4.1 Bullet 2 Sub-Bullet 4, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Responding to security alerts. (12.4.2 Bullet 4, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures. (CC7.3 ¶ 1, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events. (CC7.2 ¶ 1, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Detected events are analyzed to understand attack targets and methods. (DE.AE-2, CRI Profile, v1.2)
  • The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events. (CC7.2, Trust Services Criteria)
  • The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures. (CC7.3, Trust Services Criteria)
  • The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures. (CC7.3 ¶ 1, Trust Services Criteria, (includes March 2020 updates))
  • The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events. (CC7.2 ¶ 1, Trust Services Criteria, (includes March 2020 updates))
  • Analyze and triage events to support event resolution and incident declaration. (IR.2.094, Cybersecurity Maturity Model Certification, Version 1.0, Level 2)
  • Analyze and triage events to support event resolution and incident declaration. (IR.2.094, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
  • Analyze and triage events to support event resolution and incident declaration. (IR.2.094, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Analyze and triage events to support event resolution and incident declaration. (IR.2.094, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • The agency shall implement an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery. Wherever feasible, the agency shall employ automated mechanisms to support the incident handling process. (§ 5.3.2.1 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Take appropriate actions in response. (§ 5.10.4.4 ¶ 1 4., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Receive and analyze network alerts from various sources within the enterprise and determine possible causes of such alerts. (T0214, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Receive and analyze network alerts from various sources within the enterprise and determine possible causes of such alerts. (T0214, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Anomalies, indicators of compromise, and other potentially adverse events are analyzed to characterize the events and detect cybersecurity incidents (Adverse Event Analysis (DE.AE), The NIST Cybersecurity Framework, v2.0)
  • Potentially adverse events are analyzed to better understand associated activities (DE.AE-02, The NIST Cybersecurity Framework, v2.0)