Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities.
NIST 800-53 (r4) Supplemental Guidance:
Organizational processes benefiting from integrated audit review, analysis, and reporting include, for example, incident response, continuous monitoring, contingency planning, and Inspector General audits. Related controls: AU-12, PM-7.
NIST 800-53 (r5) Discussion:
Organizational processes that benefit from integrated audit record review, analysis, and reporting include incident response, continuous monitoring, contingency planning, investigation and response to suspicious activities, and Inspector General audits.
38North Guidance:
Meets Minimum Requirement:
The Cloud Service Provider (CSP) needs to employ automated mechanisms (intrusion detection systems, audit logging for all Cloud Service Offering (CSO) components, firewall alerts, alerting tools, etc.) to support identification of suspicious activities which could be investigated as part of security incident, continuous monitoring, contingency planning, or general audit. The implemented automated tools should provide the overall situational awareness required to fulfill audit review and analysis requirements for incident response, continuous monitoring, contingency events, or general audit requests.
Best Practice:
The CSP should implement a Security Information and Event Management (SIEM) tool for log aggregation of all automated tooling that supports the identification of suspicious activities. The alerting mechanisms configured within the SIEM tool will allow for the CSP to get real time alerts of suspicious activities from all CSO automated tooling.
Unofficial FedRAMP Guidance:
TBD
Assessment Evidence:
Review recent CSO incident response events, continuous monitoring review/analysis of CSO issues.
Review of recent suspicious activities identified by CSO component logging, firewall events, intrusion detection system and alerting tools.
Review recent ticketing system tickets to see how suspicious activities are managed once identified.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse