MON — Continuous Monitoring
70 controls in the Continuous Monitoring domain
MON-01Continuous Monitoring
MON-01.1Intrusion Detection & Prevention Systems (IDS & IPS)
MON-01.2Automated Tools for Real-Time Analysis
MON-01.3Inbound & Outbound Communications Traffic
MON-01.4System Generated Alerts
MON-01.5Wireless Intrusion Detection System (WIDS)
MON-01.6Host-Based Devices
MON-01.7File Integrity Monitoring (FIM)
MON-01.8Security Event Monitoring
MON-01.9Proxy Logging
MON-01.10Deactivated Account Activity
MON-01.11Automated Response to Suspicious Events
MON-01.12Automated Alerts
MON-01.13Alert Threshold Tuning
MON-01.14Individuals Posing Greater Risk
MON-01.15Privileged User Oversight
MON-01.16Analyze and Prioritize Monitoring Requirements
MON-01.17Real-Time Session Monitoring
MON-02Centralized Collection of Security Event Logs
MON-02.1Correlate Monitoring Information
MON-02.2Central Review & Analysis
MON-02.3Integration of Scanning & Other Monitoring Information
MON-02.4Correlation with Physical Monitoring
MON-02.5Permitted Actions
MON-02.6Audit Level Adjustments
MON-02.7System-Wide / Time-Correlated Audit Trail
MON-02.8Changes by Authorized Individuals
MON-02.9Inventory of Technology Asset Event Logging
MON-03Content of Event Logs
MON-03.1Sensitive Audit Information
MON-03.2Audit Trails
MON-03.3Privileged Functions Logging
MON-03.4Verbosity Logging for Boundary Devices
MON-03.5Limit Personal Data (PD) In Audit Records
MON-03.6Centralized Management of Planned Audit Record Content
MON-03.7Database Logging
MON-04Event Log Storage Capacity
MON-05Response To Event Log Processing Failures
MON-05.1Real-Time Alerts of Event Logging Failure
MON-05.2Event Log Storage Capacity Alerting
MON-06Monitoring Reporting
MON-06.1Query Parameter Audits of Personal Data (PD)
MON-06.2Trend Analysis Reporting
MON-07Time Stamps
MON-07.1Synchronization With Authoritative Time Source
MON-08Protection of Event Logs
MON-08.1Event Log Backup on Separate Physical Systems / Components
MON-08.2Access by Subset of Privileged Users
MON-08.3Cryptographic Protection of Event Log Information
MON-08.4Dual Authorization for Event Log Movement
MON-09Non-Repudiation
MON-09.1Identity Binding
MON-10Event Log Retention
MON-11Monitoring For Information Disclosure
MON-11.1Analyze Traffic for Covert Exfiltration
MON-11.2Unauthorized Network Services
MON-11.3Monitoring for Indicators of Compromise (IOC)
MON-12Session Audit
MON-13Alternate Event Logging Capability
MON-14Cross-Organizational Monitoring
MON-14.1Sharing of Event Logs
MON-15Covert Channel Analysis
MON-16Anomalous Behavior
MON-16.1Insider Threats
MON-16.2Third-Party Threats
MON-16.3Unauthorized Activities
MON-16.4Account Creation and Modification Logging
MON-17Event Log Analysis & Triage
MON-17.1Event Log Review Escalation Matrix
MON-18File Activity Monitoring (FAM)