Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization implements [Assignment: organization-defined additional monitoring] of privileged users.
NIST 800-53 (r4) Supplemental Guidance:
None
NIST 800-53 (r5) Discussion:
Privileged users have access to more sensitive information, including security-related information, than the general user population. Access to such information means that privileged users can potentially do greater damage to systems and organizations than non-privileged users. Therefore, implementing additional monitoring on privileged users helps to ensure that organizations can identify malicious activity at the earliest possible time and take appropriate actions.
38North Guidance:
Meets Minimum Requirement:
Implement additional monitoring of privileged users. Examples of additional monitoring include: tagging events involving users and accounts in Administrative roles in SIEM, antivirus results, and logging mechanisms; identifying failed admin login attempts; sudo monitoring; full text of privileged commands; and any other audit events or content deemed necessary. Also, time of day for privileged logins should be considered as login activities that take place outside of an administrator's normal work activities could be indicative of insider threat.
Best Practice: None
Unofficial FedRAMP Guidance: None
Assessment Evidence:
Configurations of solution(s) supporting and/or implementing monitoring and analysis of privileged users.
CSP Implementation Tips: None
Page updated
Report abuse