3.14.7 has a weight of -3 points

(System and Information Integrity Family 7/7

Identify unauthorized use of organizational systems

Example of Sysytem Security Plan (SSP):

  1. External and Internal System Monitoring:
      1. Our organization has implemented both external and internal system monitoring to ensure comprehensive coverage of potential unauthorized use of organizational systems.
      2. External monitoring focuses on observing events occurring at the system boundary to detect any attempts to gain unauthorized access from outside the organization.
      3. Internal monitoring involves observing events occurring within the system to identify any insider threats or unauthorized activities from within the organization.
    1. Monitoring for Unauthorized Use:
      1. Our system monitoring capabilities are designed to detect unauthorized use of organizational systems promptly.
      2. Through continuous monitoring, we aim to identify and respond to any suspicious activities that may indicate unauthorized access or misuse of our systems.
    2. Diverse Tools and Techniques:
      1. To achieve effective system monitoring, we employ a variety of tools and techniques, including intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, and network monitoring software.
      2. These tools enable us to detect a wide range of potential unauthorized activities and security threats.
    3. Continuous Monitoring and Incident Response Integration:
      1. System monitoring is a critical component of our continuous monitoring and incident response programs.
      2. The output from system monitoring serves as vital input to these programs, allowing us to detect unauthorized use and respond rapidly to potential security incidents.
    4. Identification of Unusual or Unauthorized Activities:
      1. Our monitoring efforts are specifically focused on identifying unusual or unauthorized activities related to inbound and outbound communications traffic.
      2. Such activities may include internal traffic that indicates the presence of malicious code in systems or its propagation among system components, the unauthorized exporting of information, or signaling to external systems.
    5. Utilization of Evidence of Malicious Code:
      1. Evidence of malicious code identified through system monitoring is used to identify potentially compromised systems or system components.
      2. This evidence plays a crucial role in our incident response process, guiding targeted actions to contain and mitigate security incidents resulting from unauthorized activities.
    6. Referencing Monitoring Requirements:
      1. System monitoring requirements, including the need for specific types of system monitoring, are referenced in other relevant organizational requirements and security policies.
      2. We ensure that our monitoring practices align with industry best practices, such as the guidance provided in [SP 800-94] for intrusion detection and prevention systems.
    7. Periodic Review and Updates:
      1. Our system monitoring procedures are subject to periodic review and updates to align with changes in technology, threats, and organizational requirements.
      2. By continuously improving our monitoring capabilities, we aim to stay ahead of potential security risks associated with unauthorized system use.

Example of Plan of Action and Milestones ( POA & M):

Missing 

 

RELEVANT INFORMATION:

System monitoring includes external and internal monitoring. System monitoring can detect unauthorized use of organizational systems. System monitoring is an integral part of continuous monitoring and incident response programs. Monitoring is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Output from system monitoring serves as input to continuous monitoring and incident response programs. Unusual/unauthorized activities or conditions related to inbound and outbound communications traffic include internal traffic that indicates the presence of malicious code in systems or propagating among system components, the unauthorized exporting of information, or signaling to external systems. Evidence of malicious code is used to identify potentially compromised systems or system components. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other requirements. [SP 800-94] provides guidance on intrusion detection and prevention systems.

Resources to consider:

Security Policy Document:

This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.

Asset Inventory and Access Control Sheet:

Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.

User Account Management Log:

Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.

Password and Multi-Factor Authentication Policy:

Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.

Process and Script Accountability Log:

Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.

Device Access Control and VPN Policy:

Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.

Access Control Review and Monitoring Schedule:

Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.

User Training and Awareness Materials:

Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.