3.14.6 has a weight of -5 points

(System and Information Integrity Family 6/7

Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.

Example of Sysytem Security Plan (SSP):

     

      1. External and Internal System Monitoring:
        1. Our organization employs both external and internal system monitoring to ensure comprehensive coverage of potential security threats.
        2. External monitoring focuses on observing events occurring at the system boundary as part of perimeter defense and boundary protection.
        3. Internal monitoring involves observing events occurring within the system to detect any insider threats or unauthorized activities.
      2. Monitoring Techniques:
        1. We monitor organizational systems by observing real-time audit record activities and other system aspects such as access patterns and characteristics of access.
        2. The selection of monitoring events is guided by our monitoring objectives, aligning with our security policies and risk management strategies.
      3. Diverse Tools and Techniques:
        1. Our system monitoring capability is achieved through a variety of tools and techniques, including intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, and network monitoring software.
        2. These tools enable us to detect a wide range of potential attacks and indicators of attacks.
      4. Strategic Monitoring Locations:
        1. We strategically place monitoring devices at selected perimeter locations and near server farms supporting critical applications.
        2. Managed system interfaces are also equipped with monitoring devices to enhance visibility into potential threats.
      5. Granularity of Monitoring Information:
        1. The granularity of monitoring information collected is based on our organizational monitoring objectives and the capability of systems to support these objectives.
        2. We collect and analyze monitoring data in a manner that aligns with our incident response and risk mitigation strategies.
      6. Continuous Monitoring and Incident Response Integration:
        1. System monitoring is an integral part of our continuous monitoring and incident response programs.
        2. The output from system monitoring serves as crucial input to these programs, enabling us to detect and respond promptly to potential security incidents.
      7. Network and Remote Connection Monitoring:
        1. We monitor all network connections, including local area network (LAN) and Internet communications.
        2. Remote connections, which involve devices communicating through external networks like the Internet, are also subject to monitoring.
      8. Identification of Unusual or Unauthorized Activities:
        1. Our monitoring efforts focus on detecting any unusual or unauthorized activities related to inbound and outbound communications traffic.
        2. Such activities may include indications of the presence of malicious code in systems or its propagation among system components, unauthorized information exports, or signaling to external systems.
      9. Utilization of Malicious Code Evidence:
        1. Evidence of malicious code identified through system monitoring is used to identify potentially compromised systems or system components.
        2. This evidence plays a crucial role in our incident response process, guiding targeted actions to contain and mitigate security incidents.
      10. Referencing Monitoring Requirements:
        1. System monitoring requirements, including the need for specific types of system monitoring, are referenced in other relevant organizational requirements and security policies.
        2. We ensure that our monitoring practices align with industry best practices, such as the guidance provided in [SP 800-94] for intrusion detection and prevention systems.

    Example of Plan of Action and Milestones ( POA & M):

    Missing

     

    RELEVANT INFORMATION:

    System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the system.

    Organizations can monitor systems, for example, by observing audit record activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. System monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include selected perimeter locations and near server farms supporting critical applications, with such devices being employed at managed system interfaces. The granularity of monitoring information collected is based on organizational monitoring objectives and the capability of systems to support such objectives. System monitoring is an integral part of continuous monitoring and incident response programs. Output from system monitoring serves as input to continuous monitoring and incident response programs. A network connection is any connection with a device that communicates through a network (e.g., local area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Local, network, and remote connections can be either wired or wireless. Unusual or unauthorized activities or conditions related to inbound/outbound communications traffic include internal traffic that indicates the presence of malicious code in systems or propagating among system components, the unauthorized exporting of information, or signaling to external systems. Evidence of malicious code is used to identify potentially compromised systems or system components. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other requirements. [SP 800-94] provides guidance on intrusion detection and prevention systems.



    Resources to consider:

    Security Policy Document:

    This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.

    Asset Inventory and Access Control Sheet:

    Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.

    User Account Management Log:

    Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.

    Password and Multi-Factor Authentication Policy:

    Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.

    Process and Script Accountability Log:

    Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.

    Device Access Control and VPN Policy:

    Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.

    Access Control Review and Monitoring Schedule:

    Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.

    User Training and Awareness Materials:

    Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.