>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

SI-4System Monitoring

IL4 Mod
IL4 High
IL5
IL6

>Control Description

a

Monitor the system to detect:

1.

Attacks and indicators of potential attacks in accordance with the following monitoring objectives: organization-defined monitoring objectives; and

2.

Unauthorized local, network, and remote connections;

b

Identify unauthorized use of the system through the following techniques and methods: organization-defined techniques and methods;

c

Invoke internal monitoring capabilities or deploy monitoring devices:

1.

Strategically within the system to collect organization-determined essential information; and

2.

At ad hoc locations within the system to track specific types of transactions of interest to the organization;

d

Analyze detected events and anomalies;

e

Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;

f

Obtain legal opinion regarding system monitoring activities; and

g

Provide organization-defined system monitoring information to organization-defined personnel or roles [Selection (one or more): as needed; organization-defined frequency].

>DoD Impact Level Requirements

Additional Requirements and Guidance

SI-4 Guidance: See US-CERT Incident Response Reporting Guidelines.

>Discussion

System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at external interfaces to the system. Internal monitoring includes the observation of events occurring within the system.

Organizations monitor systems by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives guide and inform the determination of the events. System monitoring capabilities are achieved through a variety of tools and techniques, including intrusion detection and prevention systems, malicious code protection software, scanning tools, audit record monitoring software, and network monitoring software.

Depending on the security architecture, the distribution and configuration of monitoring devices may impact throughput at key internal and external boundaries as well as at other locations across a network due to the introduction of network throughput latency. If throughput management is needed, such devices are strategically located and deployed as part of an established organization-wide security architecture. Strategic locations for monitoring devices include selected perimeter locations and near key servers and server farms that support critical applications.

Monitoring devices are typically employed at the managed interfaces associated with controls SC-7 and AC-17. The information collected is a function of the organizational monitoring objectives and the capability of systems to support such objectives. Specific types of transactions of interest include Hypertext Transfer Protocol (HTTP) traffic that bypasses HTTP proxies.

System monitoring is an integral part of organizational continuous monitoring and incident response programs, and output from system monitoring serves as input to those programs. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other controls (e.g., AC-2g, AC-2(7), AC-2(12)(a), AC-17(1), AU-13, AU-13(1), AU-13(2), CM-3f, CM-6d, MA-3a, MA-4a, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18b, SC-43b). Adjustments to levels of system monitoring are based on law enforcement information, intelligence information, or other sources of information.

The legality of system monitoring activities is based on applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

>Programmatic Queries

Beta

Related Services

GuardDuty
CloudWatch
Security Hub
CloudTrail

CLI Commands

List GuardDuty detectors
aws guardduty list-detectors
Get GuardDuty findings
aws guardduty list-findings --detector-id DETECTOR_ID
List CloudWatch alarms
aws cloudwatch describe-alarms --state-value ALARM
Get Security Hub enabled standards
aws securityhub get-enabled-standards
Open AWS ConsoleDocumentation

>Related Controls

AC-2
AC-3
AC-4
AC-8
AC-17
AU-2
AU-6
AU-7
AU-9
AU-12
AU-13
AU-14
CA-7
CM-3
CM-6
CM-8
CM-11
IA-10
IR-4
MA-3
MA-4
PL-9
PM-12
RA-5
RA-10
SC-5
SC-7
SC-18
SC-26
SC-31
SC-35
SC-36
SC-37
SC-43
SI-3
SI-6
SI-7
SR-9
SR-10

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies and procedures govern system monitoring?
  • Who is responsible for monitoring system and information integrity?
  • How frequently are integrity monitoring processes reviewed and updated?

Technical Implementation:

  • What technical controls detect and respond to system monitoring issues?
  • How are integrity violations identified and reported?
  • What automated tools support system and information integrity monitoring?
  • What anti-malware solutions are deployed and how are they configured?
  • What systems and events are monitored for integrity violations?

Evidence & Documentation:

  • Can you provide recent integrity monitoring reports or alerts?
  • What logs demonstrate that SI-4 is actively implemented?
  • Where is evidence of integrity monitoring maintained and for how long?
  • Can you show recent malware detection reports and response actions?
  • Can you provide examples of integrity monitoring alerts and responses?

Ask AI

Configure your API key to use AI features.