Back

Establish, implement, and maintain Security Control System monitoring and reporting procedures.


CONTROL ID
12506
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Monitoring and measurement, CC ID: 00636

This Control has the following implementation support Control(s):
  • Include detecting and reporting the failure of a change detection mechanism in the Security Control System monitoring and reporting procedures., CC ID: 12525
  • Include detecting and reporting the failure of audit logging in the Security Control System monitoring and reporting procedures., CC ID: 12513
  • Include detecting and reporting the failure of an anti-malware solution in the Security Control System monitoring and reporting procedures, CC ID: 12512
  • Include detecting and reporting the failure of a segmentation control in the Security Control System monitoring and reporting procedures., CC ID: 12511
  • Include detecting and reporting the failure of a physical access control in the Security Control System monitoring and reporting procedures., CC ID: 12510
  • Include detecting and reporting the failure of a logical access control in the Security Control System monitoring and reporting procedures., CC ID: 12509
  • Include detecting and reporting the failure of an Intrusion Detection and Prevention System in the Security Control System monitoring and reporting procedures., CC ID: 12508
  • Include detecting and reporting the failure of a security testing tool in the Security Control System monitoring and reporting procedures., CC ID: 15488
  • Include detecting and reporting the failure of a firewall in the Security Control System monitoring and reporting procedures., CC ID: 12507


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • There should be arrangements for monitoring the information security condition of the organisation, which are documented, agreed with top management and performed regularly. Information generated by monitoring the information security condition of the organization should be used to measure the effec… (Critical components of information security 22) ii., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Information collected as part of security reporting arrangements should include details about all aspects of information risk like criticality of information, identified vulnerabilities and level of threats, potential business impacts and the status of security controls in place. Information about t… (Critical components of information security 22) iv., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Security monitoring arrangements should provide key decision-makers and Senior Management/Board of Directors with an informed view of aspects like the effectiveness and efficiency of information security arrangements, areas where improvement is required, information and systems that are subject to a… (Critical components of information security 22) i., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • System owners monitor each system, and associated cyber threats, security risks and security controls, on an ongoing basis. (Security Control: 1526; Revision: 1, Australian Government Information Security Manual)
  • The cloud provider draws up regular reports on the performed audits, which are reviewed and analysed by authorised bodies or committees. Policies and instructions describe the technical safeguards for the secure configuration and monitoring of the management console (both the self- service of the cu… (Section 5.6 RB-05 Description of additional requirements (confidentiality and availability) ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • The availability of the logging and monitoring software is monitored independently. In case the logging and monitoring software fails, the responsible employees are informed immediately. (Section 5.6 RB-16 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Ongoing procedures are performed for monitoring the effectiveness of controls over PI and for taking timely corrective actions when necessary. (M9.1 Performs ongoing monitoring, Privacy Management Framework, Updated March 1, 2020)
  • Test and monitor the IT security implementation in a proactive way. IT security should be reaccredited in a timely manner to ensure that the approved enterprise's information security baseline is maintained. A logging and monitoring function will enable the early prevention and/or detection and subs… (DS5.5 Security Testing, Surveillance and Monitoring, CobiT, Version 4.1)
  • Implement internal control, security and auditability measures during configuration, integration and maintenance of hardware and infrastructural software to protect resources and ensure availability and integrity. Responsibilities for using sensitive infrastructure components should be clearly defin… (AI3.2 Infrastructure Resource Protection and Availability, CobiT, Version 4.1)
  • The control system shall provide the capability to continuously monitor all security mechanism performance using commonly accepted security industry practices and recommendations to detect, characterize and report security breaches in a timely manner. (10.4.1 ¶ 1, IEC 62443-3-3: Industrial communication networks – Network and system security – Part 3-3: System security requirements and security levels, Edition 1)
  • Components shall provide the capability to be continuously monitored using commonly accepted security industry practices and recommendations to detect, characterize and report security breaches in a timely manner. (10.4.1 ¶ 1, IEC 62443-4-2: Security for industrial automation and control systems – Part 4-2: Technical security requirements for IACS components, Edition 1.0)
  • Additional requirement for service providers only: Implement a process for the timely detection and reporting of failures of critical security control systems, including but not limited to failure of: - Firewalls - IDS/IPS - FIM - Anti-virus - Physical access controls - Logical access controls - Aud… (10.8, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Implement a process to immediately detect and alert on critical security control failures. Examples of critical security controls include, but are not limited to: (A3.3.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Implement a process for the timely detection and reporting of failures of critical security control systems, including but not limited to failure of: - Firewalls - IDS/IPS - FIM - Anti-virus - Physical access controls - Logical access controls - Audit logging mechanisms - Segmentation controls (if u… (10.8, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • For service providers only: Is a process implemented for the timely detection and reporting of failures of critical security control systems as follows: (10.8, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Examine detection and alerting processes and interview personnel to verify that processes are implemented for all critical security controls, and that failure of a critical security control results in the generation of an alert. (10.8.b, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Examine documented policies and procedures to verify that processes are defined for the timely detection and reporting of failures of critical security control systems, including but not limited to failure of: - Firewalls - IDS/IPS - FIM - Anti-virus - Physical access controls - Logical access contr… (10.8.a, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Additional requirement for service providers only: Failures of critical security control systems are detected, alerted, and addressed promptly, including but not limited to failure of the following critical security control systems: (10.7.1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Failures of critical security control systems are detected, alerted, and addressed promptly, including but not limited to failure of the following critical security control systems: (10.7.2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Failures of critical security control systems are detected, alerted, and addressed promptly, including but not limited to failure of: (A3.3.1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Automated code review tools (if used). This bullet is a best practice until its effective date; refer to Applicability Notes below for details. (A3.3.1 Bullet 10, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Additional testing procedure for service provider assessments only: Examine documentation to verify that processes are defined for the prompt detection and addressing of failures of critical security control systems, including but not limited to failure of all elements specified in this requirement. (10.7.1.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Examine documentation to verify that processes are defined for the prompt detection and addressing of failures of critical security control systems, including but not limited to failure of all elements specified in this requirement. (10.7.2.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Identification of cause(s) of the failure, including root cause. (A3.3.1.2.b Bullet 1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Examine records to verify that security control failures are documented to include: (A3.3.1.2.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Additional testing procedure for service provider assessments only: Observe detection and alerting processes and interview personnel to verify that failures of critical security control systems are detected and reported, and that failure of a critical security control results in the generation of an… (10.7.1.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Observe detection and alerting processes and interview personnel to verify that failures of critical security control systems are detected and reported, and that failure of a critical security control results in the generation of an alert. (10.7.2.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Examine documented policies and procedures to verify that processes are defined to promptly detect, alert, and address critical security control failures in accordance with all elements specified in this requirement. (A3.3.1.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Failures of critical security control systems are detected, alerted, and addressed promptly, including but not limited to failure of the following critical security control systems: (10.7.2, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Failures of critical security control systems are detected, alerted, and addressed promptly, including but not limited to failure of the following critical security control systems: (10.7 2, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Additional requirement for service providers only: Failures of critical security control systems are detected, alerted, and addressed promptly, including but not limited to failure of the following critical security control systems: (10.7.1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Define, implement and evaluate processes, procedures and technical measures for the reporting of anomalies and failures of the monitoring system and provide immediate notification to the accountable party. (LOG-13, Cloud Controls Matrix, v4.0)
  • reporting structures (contents, frequency, format, responsibilities, etc.) within the information security area, for example incident reports, reports on measuring the fulfilment of information security objectives, reports on performed activities; and (§ 8.1 Guidance ¶ 1(g), ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • monitor controls; and (§ 7.2.1 ¶ 3 Bullet 3, ISO/IEC 27005:2018, Information Technology — Security Techniques — Information Security Risk Management, Third Edition)
  • define and implement policies and procedures, including implementation of the controls selected; (§ 7.2.1 ¶ 3 Bullet 2, ISO/IEC 27005:2018, Information Technology — Security Techniques — Information Security Risk Management, Third Edition)
  • The organization's monitoring and detection processes comply with all applicable requirements. (DE.DP-2.1, CRI Profile, v1.2)
  • The organization's monitoring and detection processes comply with all applicable requirements. (DE.DP-2.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • SL 2 – Monitor the operation of the components of the IACS, and respond to incidents when discovered, by actively collecting and periodically reporting forensic evidence. (10.1 ¶ 1 Bullet 2, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • Monitoring should include appropriate reporting mechanisms to allow for a timely response to events. To keep the reporting focused and the amount of reported information to a level that can be processed by the recipients, mechanisms such as SIEM are commonly applied to correlate individual events in… (10.4.2 ¶ 3, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • SL 3 – Monitor the operation of the components of the IACS, and respond to incidents when discovered, by actively collecting and pushing forensic evidence to the proper authorities. (10.1 ¶ 1 Bullet 3, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • SL 4 – Monitor the operation of the components of the IACS, and respond to incidents when discovered, by actively collecting and pushing forensic evidence to the proper authorities in near real-time. (10.1 ¶ 1 Bullet 4, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • Although a system may begin operation in a secure state, it is important to be able to monitor the system to ensure that it remains in that secure state. If an event impacts the security of a system, timely notification of the event may be critical to mitigating the associated risk. Asset owners sho… (10.2 ¶ 1, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • Components shall provide the capability to be continuously monitored using commonly accepted security industry practices and recommendations to detect, characterize and report security breaches in a timely manner. (10.4.1 ¶ 1, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • Monitoring devices should be strategically deployed within the control system (for example, at selected perimeter locations and near server farms supporting critical applications) to collect essential information. Monitoring mechanisms may also be deployed at ad hoc locations within the control syst… (10.4.2 ¶ 2, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and (AU-7a., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and (AU-7a., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Ongoing procedures are performed for monitoring the effectiveness of controls over personal information and for taking timely corrective actions when necessary. (P8.1 Performs Ongoing Monitoring, Trust Services Criteria)
  • Ongoing procedures are performed for monitoring the effectiveness of controls over personal information and for taking timely corrective actions when necessary. (P8.1 ¶ 2 Bullet 6 Performs Ongoing Monitoring, Trust Services Criteria, (includes March 2020 updates))
  • Regularly tests or otherwise regularly monitors the key controls, systems and procedures of the information security program. The frequency and nature of these tests or other monitoring practices are determined by the licensee's risk assessment. (Section 7 ¶ 1.C., Standards for Safeguarding Customer Information Model Regulation, NAIC MDL-673, April 2002)
  • All CSP CSOs are required to have FedRAMP annual assessments performed by a 3PAO for the maintenance of their FedRAMP PA. DoD also requires annual assessments performed by a 3PAO or approved DoD SCA organization for the maintenance of their Level 4 and above DoD PA. It is expected that CSOs in both … (Section 5.3.1 ¶ 5, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and (AU-7a. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and (AU-7a. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Report to the Board. Each credit union should report to its board or an appropriate committee of the board at least annually. This report should describe the overall status of the information security program and the credit union's compliance with these guidelines. The report should discuss material… (§ 748 Appendix A. III.F., 12 CFR Part 748, NCUA Guidelines for Safeguarding Member Information, July 1, 2001)
  • Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and (AU-7a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and (AU-7a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness; (PM-31b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Response actions to address results of the analysis of control assessment and monitoring information; and (PM-31e., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness; (PM-31b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Response actions to address results of the analysis of control assessment and monitoring information; and (PM-31e., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and (AU-7a. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and (AU-7a. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Identify security oriented organization reporting requirements that are fulfilled by the continuous monitoring program. (T0982, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Work with security managers (i.e., system owners, information system security managers, information system security officers, etc.) to establish appropriate reporting requirements for continuous monitoring at the system level. (T1003, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Coordinate continuous monitoring reporting requirements across various users. (T0996, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Establish appropriate reporting requirements in adherence to the criteria identified in the continuous monitoring program for use in automated control assessment. (T0988, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Identify reporting requirements for use in automated control assessment to support continuous monitoring. (T0991, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Develop a strategy for monitoring security control effectiveness; coordinate the system- level strategy with the organization and mission/business process-level monitoring strategy. (T0947, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Contextual Awareness and Analytic Monitoring capabilities are often provided by performance management and cybersecurity functions, including cyber situational awareness, anomaly detection, and performance monitoring. However, the off-the-shelf implementations of these functions are generally insuff… (3.1.5.1 ¶ 2, NIST SP 800-160, Developing Cyber-Resilient Systems: A Systems Security Engineering Approach, Volume 2, Revision 1)
  • Monitor the rigorous application of cyber policies, principles, and practices in the delivery of planning and management services. (T0505, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Coordinate continuous monitoring reporting requirements across various users. (T0996, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Perform cyber defense trend analysis and reporting. (T0164, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Work with security managers (i.e., system owners, information system security managers, information system security officers, etc.) to establish appropriate reporting requirements for continuous monitoring at the system level. (T1003, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Identify reporting requirements for use in automated control assessment to support continuous monitoring. (T0991, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Establish appropriate reporting requirements in adherence to the criteria identified in the continuous monitoring program for use in automated control assessment. (T0988, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Identify security oriented organization reporting requirements that are fulfilled by the continuous monitoring program. (T0982, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Work with security managers to establish appropriate continuous monitoring reporting requirements at the system level. (T0986, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Perform cyber defense trend analysis and reporting. (T0333, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Develop a strategy for monitoring security control effectiveness; coordinate the system-level strategy with the organization and mission/business process-level monitoring strategy. (T0947, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and (AU-7a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and (AU-7a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and (AU-7a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and (AU-7a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness; (PM-31b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Response actions to address results of the analysis of control assessment and monitoring information; and (PM-31e., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • detects, prevents and responds to attacks or system failures; and (§ 899-bb. 2(b)(ii)(B)(3), New York General Business Law Chapter 20, Article 39-F, Section 899-BB)
  • Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and (AU-7a., TX-RAMP Security Controls Baseline Level 2)