3.14.3 has a weight of -5 points

Organizational System Security Plan (SSP) – Monitoring System Alerts and Advisories

1. Introduction:

The primary goal of this document is to outline our organization’s strategy to proactively monitor and respond to system security alerts and advisories, safeguarding our infrastructure from potential threats.

2. System Integration for Monitoring:

a. Our SIEM (Security Information and Event Management):

Purpose: Acts as the frontline defense by serving as our primary threat sensor. Integration: Regularly captures and processes system security alerts. This system operates in conjunction with our internal Security Operations Center (SOC) which performs analysis, detection, and response functions.

3. Sources of Security Alerts and Advisories:

a. Internal System Alerts: These are alerts generated from within our system infrastructure, signifying potential security anomalies or risks.

b. External Advisories: We maintain subscriptions and liaisons with trusted external agencies, notably CISA, which provide timely warnings and advisories on emerging threats and vulnerabilities.

4. Response Strategy:

a. Internal Notification via Ticketing System: Once an alert or advisory is detected and verified by our SOC, it’s logged into our ticketing system. This system ensures that relevant stakeholders, including the internal IT department, are immediately notified and can track the response to completion.

b. Action Response: The nature and severity of the alert dictate the response. Our Incident Response Plan, integrated with the ticketing system, offers a structured and hierarchical response mechanism ensuring every threat is addressed efficiently and effectively.

c. External Communication: For alerts that have wider implications, especially those that might impact our partners or stakeholders, we activate a communication protocol ensuring transparency and collaboration.

Plan of Action and Milestones (POA&M) – Monitoring System Alerts and Advisories

1. Objectives:

To continuously improve our system monitoring capabilities, response strategies, and overall cyber defense mechanisms by addressing identified gaps and vulnerabilities.

2. Identified Gaps and Vulnerabilities:

a. SIEM Enhancement: Upgrading the SIEM to incorporate newer threat intelligence sources and ensuring compatibility with evolving system architectures.

b. SOC Training: Regular training for SOC personnel to keep them abreast of the latest cyber threats and response mechanisms.

c. Incident Response Plan Update: Periodic review and enhancement of the Incident Response Plan to address new types of threats.

d. Communication Protocols: Streamlining external communication for swifter and clearer information dissemination to stakeholders during critical incidents.

3. Action Items:

a. SIEM Enhancement:

• Milestone: Integration of additional threat intelligence feeds.
• Target Completion Date: [Date]
• Responsibility: [Name/Team]

b. SOC Training:

• Milestone: Conduct quarterly training sessions and workshops.
• Target Completion Date: [Date for first session]
• Responsibility: [Name/Training Department]

c. Incident Response Plan Update:

• Milestone: Conduct a review and update session.
• Target Completion Date: [Date]
• Responsibility: [Name/Team]

d. Communication Protocols:

• Milestone: Redesign communication templates and protocols.
• Target Completion Date: [Date]
• Responsibility: [Name/Communication Team]

4. Monitoring and Review:

a. Quarterly Review: Conduct a comprehensive review of the implemented actions and their efficacy.

• Next Review Date: [Date]

b. Feedback Loop: Establish a mechanism for the IT team and SOC to provide feedback after each incident, ensuring continuous improvement.

5. Budget & Resources:

a. Allocated Budget: $[Amount]

b. Required Resources:

• SIEM Upgrade: $[Amount]
• SOC Training Programs: $[Amount]
• Incident Response Plan Review: $[Amount]
• Communication Protocol Enhancement: $[Amount]

6. Approval & Ownership:

POA&M Owner: [Name/Position]

Approval Date: [Date]