Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization employs automated tools to support near real-time analysis of events.
NIST 800-53 (r4) Supplemental Guidance:
Automated tools include, for example, host-based, network-based, transport-based, or storage-based event monitoring tools or Security Information and Event Management (SIEM) technologies that provide real time analysis of alerts and/or notifications generated by organizational information systems.
NIST 800-53 (r5) Discussion:
Automated tools and mechanisms include host-based, network-based, transport-based, or storage-based event monitoring tools and mechanisms or security information and event management (SIEM) technologies that provide real-time analysis of alerts and notifications generated by organizational systems. Automated monitoring techniques can create unintended privacy risks because automated controls may connect to external or otherwise unrelated systems. The matching of records between these systems may create linkages with unintended consequences. Organizations assess and document these risks in their privacy impact assessment and make determinations that are in alignment with their privacy program plan.
38North Guidance:
Meets Minimum Requirement:
Employ automated such as Snort, OSSEC, or any other IDS/IPS solution along with a SIEM to support near real-time scan, capture, and analysis of events.
It is extremely difficult to plausibly claim that analysis is in real-time without a SIEM.
If special agents are used to collect data (e.g. via Elastic) then these need to be included in the software inventory.
Best Practice: None
Unofficial FedRAMP Guidance: None
Assessment Evidence:
Configuration settings of the intrusion detection system (e.g., SIEM) showing logs are analyzed real-time as they are received from the components of the CSP environment.
CSP Implementation Tips: None
Page updated
Report abuse