SI-7 (7) Software, Firmware, and Information Integrity | Integration of Detection and Response (M) (H)

This page is classified as INTERNAL.

NIST 800-53 (r4) Control:

The organization incorporates the detection of unauthorized [Assignment: organization-defined security-relevant changes to the information system] into the organizational incident response capability.

NIST 800-53 (r4) Supplemental Guidance:

This control enhancement helps to ensure that detected events are tracked, monitored, corrected, and available for historical purposes. Maintaining historical records is important both for being able to identify and discern adversary actions over an extended period of time and for possible legal actions. Security-relevant changes include, for example, unauthorized changes to established configuration settings or unauthorized elevation of information system privileges. Related controls: IR-4, IR-5, SI-4.

NIST 800-53 (r5) Discussion:

Integrating detection and response helps to ensure that detected events are tracked, monitored, corrected, and available for historical purposes. Maintaining historical records is important for being able to identify and discern adversary actions over an extended time period and for possible legal actions. Security-relevant changes include unauthorized changes to established configuration settings or the unauthorized elevation of system privileges.

38North Guidance:

Meets Minimum Requirement:

Incorporate the detection of unauthorized security-relevant changes to the system into the incident response capability. In the event any of the integrity verifications described in SI-7 were to fail, the incident handling (IR-4) process should be invoked. Depending on the failure, a member of the Administrator Team should be notified and then should coordinate internally with other team members to begin investigations. All failures should be handled in accordance with IR-4.

Best Practice: None

Unofficial FedRAMP Guidance: None

Assessment Evidence:

Meeting minutes, meeting agendas, status reports, tickets, etc. showing that unauthorized security-relevant changes to the system are coordinated with the incident response capability.
Notifications that may trigger automated alerts in the event it is detected by an automated tool.

CSP Implementation Tips:

Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD

Page updated

Report abuse