This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization correlates incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response.
NIST 800-53 (r4) Supplemental Guidance:
Sometimes the nature of a threat event, for example, a hostile cyber attack, is such that it can only be observed by bringing together information from different sources including various reports and reporting procedures established by organizations.
References: None.
NIST 800-53 (r5) Discussion:
Sometimes, a threat event, such as a hostile cyber-attack, can only be observed by bringing together information from different sources, including various reports and reporting procedures established by organizations.
38North Guidance:
Meets Minimum Requirement:
Uses a ticketing system or incident response database, which can receive manual or automated feeds, to track and monitor security incidents
Has a security information and event management (SIEM) tool or other security tooling that can be used to help identify the cause/source of the incident.
Generates reports on incidents to identify trends in incident classes across organizational assets, and response times.
Best Practice:
TBD
Unofficial FedRAMP Guidance:
TBD
Assessment Evidence:
Procedures or configuration showing how incident information is either manually or automatically fed into a central repository.
List of data feeds for the SIEM tooling to track and monitor security incidents.
Evidence showing that an individual is reviewing correlated data to ensure incident awareness, and there are actions to be taken if something is detected.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD