SI-04 Information System Monitoring Tools And Techniques
System and Information Integrity
Description
The organization employs tools and techniques to monitor events on the information system, detect attacks, and provide identification of unauthorized use of the system.\n
Supplemental Guidance
Information system monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, audit record monitoring software, network monitoring software). Monitoring devices are strategically deployed within the information system (e.g., at selected perimeter locations, near server farms supporting critical applications) to collect essential information. Monitoring devices are also deployed at ad hoc locations within the system to track specific transactions. Additionally, these devices are used to track the impact of security changes to the information system. The granularity of the information collected is determined by the organization based upon its monitoring objectives and the capability of the information system to support such activities. Organizations consult appropriate legal counsel with regard to all information system monitoring activities. Organizations heighten the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations, organizational assets, or individuals based on law enforcement information, intelligence information, or other credible sources of information. NIST Special Publication 800-61 provides guidance on detecting attacks through various types of security technologies. NIST Special Publication 800-83 provides guidance on detecting malware-based attacks through malicious code protection software. NIST Special Publication 800-92 provides guidance on monitoring and analyzing computer security event logs. NIST Special Publication 800-94 provides guidance on intrusion detection and prevention. Related security control: AC-8.\n
Changes from Rev 4
Title changed from 'Information System Monitoring' Control text replaces 'Protect information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion' with 'Analyze detected events and anomalies' and replaces 'Heightens' with 'Adjust' Discussion expanded with references to other controls
Enhancements
\n