3.14.3 has a weight of -5 points

(System and Information Integrity Family) 3/7

Monitor system security alerts and advisories and take action in response.

Video

Example of Sysytem Security Plan (SSP):

Organizational System Security Plan (SSP) – Monitoring System Alerts and Advisories

  1. Introduction:

The primary goal of this document is to outline our organization’s strategy to proactively monitor and respond to system security alerts and advisories, safeguarding our infrastructure from potential threats.

  1. System Integration for Monitoring:

a. Our SIEM (Security Information and Event Management):

Purpose: Acts as the frontline defense by serving as our primary threat sensor. Integration: Regularly captures and processes system security alerts. This system operates in conjunction with our internal Security Operations Center (SOC) which performs analysis, detection, and response functions.

  1. Sources of Security Alerts and Advisories:

a. Internal System Alerts: These are alerts generated from within our system infrastructure, signifying potential security anomalies or risks.

b. External Advisories: We maintain subscriptions and liaisons with trusted external agencies, notably CISA, which provide timely warnings and advisories on emerging threats and vulnerabilities.

  1. Response Strategy:

a. Internal Notification via Ticketing System: Once an alert or advisory is detected and verified by our SOC, it’s logged into our ticketing system. This system ensures that relevant stakeholders, including the internal IT department, are immediately notified and can track the response to completion.

b. Action Response: The nature and severity of the alert dictate the response. Our Incident Response Plan, integrated with the ticketing system, offers a structured and hierarchical response mechanism ensuring every threat is addressed efficiently and effectively.

c. External Communication: For alerts that have wider implications, especially those that might impact our partners or stakeholders, we activate a communication protocol ensuring transparency and collaboration.

 

Example of Plan of Action and Milestones ( POA & M):

Plan of Action and Milestones (POA&M) – Monitoring System Alerts and Advisories

1. Objectives:

To continuously improve our system monitoring capabilities, response strategies, and overall cyber defense mechanisms by addressing identified gaps and vulnerabilities.

2. Identified Gaps and Vulnerabilities:

a. SIEM Enhancement: Upgrading the SIEM to incorporate newer threat intelligence sources and ensuring compatibility with evolving system architectures.

b. SOC Training: Regular training for SOC personnel to keep them abreast of the latest cyber threats and response mechanisms.

c. Incident Response Plan Update: Periodic review and enhancement of the Incident Response Plan to address new types of threats.

d. Communication Protocols: Streamlining external communication for swifter and clearer information dissemination to stakeholders during critical incidents.

3. Action Items:

a. SIEM Enhancement:

  • Milestone: Integration of additional threat intelligence feeds.
  • Target Completion Date: [Date]
  • Responsibility: [Name/Team]

b. SOC Training:

  • Milestone: Conduct quarterly training sessions and workshops.
  • Target Completion Date: [Date for first session]
  • Responsibility: [Name/Training Department]

c. Incident Response Plan Update:

  • Milestone: Conduct a review and update session.
  • Target Completion Date: [Date]
  • Responsibility: [Name/Team]

d. Communication Protocols:

  • Milestone: Redesign communication templates and protocols.
  • Target Completion Date: [Date]
  • Responsibility: [Name/Communication Team]

4. Monitoring and Review:

a. Quarterly Review: Conduct a comprehensive review of the implemented actions and their efficacy.

  • Next Review Date: [Date]

b. Feedback Loop: Establish a mechanism for the IT team and SOC to provide feedback after each incident, ensuring continuous improvement.

5. Budget & Resources:

a. Allocated Budget: $[Amount]

b. Required Resources:

  • SIEM Upgrade: $[Amount]
  • SOC Training Programs: $[Amount]
  • Incident Response Plan Review: $[Amount]
  • Communication Protocol Enhancement: $[Amount]

6. Approval & Ownership:

POA&M Owner: [Name/Position]

Approval Date: [Date]

RELEVANT INFORMATION:

There are many publicly available sources of system security alerts and advisories. For example, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) generates security alerts and advisories to maintain situational awareness across the federal government and in non federal organizations. Software vendors, subscription services, and industry information sharing and analysis centers (ISACs) may also provide security alerts and advisories. Examples of response actions include notifying relevant external organizations, for example, external mission/business partners, supply chain partners, external service providers, and peer or supporting organizations. [SP 800-161] provides guidance on supply chain risk management.

 

Resources to consider:

Security Policy Document:

This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.

Asset Inventory and Access Control Sheet:

Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.

User Account Management Log:

Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.

Password and Multi-Factor Authentication Policy:

Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.

Process and Script Accountability Log:

Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.

Device Access Control and VPN Policy:

Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.

Access Control Review and Monitoring Schedule:

Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.

User Training and Awareness Materials:

Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.