END-06: Endpoint File Integrity Monitoring (FIM)

END 8 — High Protect

Mechanisms exist to utilize File Integrity Monitor (FIM), or similar technologies, to detect and report on unauthorized changes to selected files and configuration settings.

Control Question: Does the organization utilize File Integrity Monitor (FIM), or similar technologies, to detect and report on unauthorized changes to selected files and configuration settings?

General (36)

Framework	Mapping Values
AICPA TSC 2017:2022 (used for SOC 2) (source)	CC6.8 CC7.1-POF2 CC7.1-POF3 CC7.1-POF4
CSA IoT SCF 2	SAP-06
ENISA 2.0	SO12
GovRAMP Core	SI-07
GovRAMP Low+	SI-07
GovRAMP Moderate	SI-07
GovRAMP High	SI-07
IEC 62443-4-2 2019	FR 3 (7.1)
MITRE ATT&CK 10	T1003, T1003.003, T1020.001, T1027, T1027.002, T1036, T1036.001, T1036.005, T1037, T1037.002, T1037.003, T1037.004, T1037.005, T1040, T1047, T1053.006, T1056.002, T1059, T1059.001, T1059.002, T1059.003, T1059.004, T1059.005, T1059.006, T1059.007, T1059.008, T1068, T1070, T1070.001, T1070.002, T1070.003, T1072, T1080, T1098.001, T1098.002, T1098.003, T1114, T1114.001, T1114.002, T1114.003, T1119, T1127, T1129, T1133, T1136, T1136.001, T1136.002, T1136.003, T1176, T1185, T1189, T1190, T1195.003, T1203, T1204, T1204.002, T1204.003, T1210, T1211, T1212, T1213, T1213.001, T1213.002, T1216, T1216.001, T1218, T1218.001, T1218.002, T1218.003, T1218.004, T1218.005, T1218.008, T1218.009, T1218.010, T1218.011, T1218.012, T1218.013, T1218.014, T1219, T1220, T1221, T1222, T1222.001, T1222.002, T1485, T1486, T1490, T1491, T1491.001, T1491.002, T1495, T1505, T1505.001, T1505.002, T1505.004, T1525, T1530, T1542, T1542.001, T1542.003, T1542.004, T1542.005, T1543, T1543.002, T1546, T1546.002, T1546.004, T1546.006, T1546.008, T1546.009, T1546.010, T1546.013, T1547.002, T1547.003, T1547.004, T1547.005, T1547.006, T1547.008, T1547.011, T1547.013, T1548, T1548.004, T1550.001, T1550.004, T1552, T1552.004, T1553, T1553.001, T1553.003, T1553.005, T1553.006, T1554, T1556, T1556.001, T1556.003, T1556.004, T1557, T1557.002, T1558, T1558.002, T1558.003, T1558.004, T1561, T1561.001, T1561.002, T1562, T1562.001, T1562.002, T1562.004, T1562.006, T1562.009, T1564.003, T1564.004, T1564.006, T1564.008, T1564.009, T1565, T1565.001, T1565.002, T1569, T1569.002, T1574, T1574.001, T1574.004, T1574.006, T1574.007, T1574.008, T1574.009, T1574.012, T1599, T1599.001, T1601, T1601.001, T1601.002, T1602, T1602.001, T1602.002, T1609, T1611
MPA Content Security Program 5.1	TS-2.6
NIST Privacy Framework 1.0	PR.DS-P6 PR.DS-P8
NIST 800-53 R4	SI-7
NIST 800-53 R4 (moderate)	SI-7
NIST 800-53 R4 (high)	SI-7
NIST 800-53 R5 (source)	SI-7
NIST 800-53B R5 (moderate) (source)	SI-7
NIST 800-53B R5 (high) (source)	SI-7
NIST 800-82 R3 MODERATE OT Overlay	SI-7
NIST 800-82 R3 HIGH OT Overlay	SI-7
NIST 800-161 R1	SI-7
NIST 800-161 R1 C-SCRM Baseline	SI-7
NIST 800-161 R1 Flow Down	SI-7
NIST 800-161 R1 Level 2	SI-7
NIST 800-161 R1 Level 3	SI-7
NIST CSF 2.0 (source)	DE.CM-09
PCI DSS 4.0.1 (source)	10.3.4 11.5 11.5.2 11.6.1
PCI DSS 4.0.1 SAQ A (source)	11.6.1
PCI DSS 4.0.1 SAQ A-EP (source)	10.3.4 11.5.2 11.6.1
PCI DSS 4.0.1 SAQ C (source)	10.3.4 11.5.2
PCI DSS 4.0.1 SAQ D Merchant (source)	10.3.4 11.5.2 11.6.1
PCI DSS 4.0.1 SAQ D Service Provider (source)	10.3.4 11.5.2 11.6.1
SWIFT CSF 2023	6.2
SCF CORE Mergers, Acquisitions & Divestitures (MA&D)	END-06
SCF CORE ESP Level 1 Foundational	END-06
SCF CORE ESP Level 2 Critical Infrastructure	END-06
SCF CORE ESP Level 3 Advanced Threats	END-06

US (15)

Framework	Mapping Values
US CERT RMM 1.2	KIM:SG5.SP1 KIM:SG5.SP2 KIM:SG5.SP3 TM:SG4.SP1 TM:SG4.SP2 TM:SG4.SP3 TM:SG4.SP4
US CJIS Security Policy 5.9.3 (source)	SI-7
US CMS MARS-E 2.0	SI-7
US DHS ZTCF	EPM-01
US FedRAMP R4	SI-7
US FedRAMP R4 (moderate)	SI-7
US FedRAMP R4 (high)	SI-7
US FedRAMP R5 (source)	SI-7
US FedRAMP R5 (moderate) (source)	SI-7
US FedRAMP R5 (high) (source)	SI-7
US FFIEC	D3.PC.Se.Int.3 D3.PC.De.Int.2
US HIPAA HICP Large Practice	2.L.D
US IRS 1075	SI-7
US NISPOM 2020	8-302
US - TX TX-RAMP Level 2	SI-7

EMEA (4)

Framework	Mapping Values
EMEA EU EBA GL/2019/04	3.4.4(36)(e)
EMEA Israel CDMO 1.0	6.4 12.19
EMEA Saudi Arabia OTCC-1 2022	1-5-4
EMEA UK DEFSTAN 05-138	2425

APAC (2)

Framework	Mapping Values
APAC India SEBI CSCRF	PR.DS.S6
APAC New Zealand NZISM 3.6	14.1.12.C.01 14.1.12.C.02 14.1.12.C.03

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to utilize File Integrity Monitor (FIM), or similar technologies, to detect and report on unauthorized changes to selected files and configuration settings.

Level 1 — Performed Informally

Endpoint Security (END) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:

Asset management is informally assigned as an additional duty to existing IT/cybersecurity personnel.
IT/cybersecurity personnel use an informal process to design, build and maintain secure configurations for test, development, staging and production environments, including the implementation of appropriate cybersecurity and data protection controls.
Anti-malware technologies are decentralized but are deployed on all technology assets that can run Anti-malware software.
Data management is decentralized.

Level 2 — Planned & Tracked

Endpoint Security (END) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:

Endpoint security management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for endpoint security management.
Anti-malware technologies are decentralized but are deployed on all technology assets that can run anti-malware software.
Physical controls, administrative processes and technologies focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.
Technologies are configured to protect data with the strength and integrity commensurate with the classification or sensitivity of the information and mostly conform to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides), including cryptographic protections for sensitive/regulated data.

Level 3 — Well Defined

Endpoint Security (END) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

Configuration management is centralized for all operating systems, applications, servers and other configurable technologies.
Technologies are configured to protect data with the strength and integrity commensurate with the classification or sensitivity of the information and conform to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides), including test, development, staging and production environments.
Configurations conform to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides) for test, development, staging and production environments.
An Identity & Access Management (IAM) function, or similar function, centrally manages permissions and implements “least privileges” practices for the management of user, group and system accounts, including privileged accounts.
An IT Asset Management (ITAM) function, or similar function, categorizes endpoint devices according to the data the asset stores, transmits and/ or processes and applies the appropriate technology controls to protect the asset and data that conform to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides).
A Security Operations Center (SOC), or similar function, centrally manages anti-malware and anti-phishing technologies, in accordance with industry-recognized practices for Prevention, Detection & Response (PDR) activities.
A Security Incident Event Manager (SIEM), or similar automated tool, is tuned to detect and respond to anomalous behavior that could indicate account compromise or other malicious activities.
The Human Resources (HR) department ensures that every user accessing a system that processes, stores, or transmits sensitive/regulated data is cleared and regularly trained in proper data handling practices.
Unauthorized configuration changes are responded to in accordance with an Incident Response Plan (IRP) to determine if the any unauthorized configuration is malicious in nature.

Level 4 — Quantitatively Controlled

Endpoint Security (END) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:

Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
Both business and technical stakeholders are involved in reviewing and approving proposed changes.

Level 5 — Continuously Improving

Endpoint Security (END) efforts are “world-class” capabilities that leverage predictive analysis (e.g., machine learning, AI, etc.). In addition to CMM Level 4 criteria, CMM Level 5 control maturity would reasonably expect all, or at least most, the following criteria to exist:

Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions.
Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes.

Assessment Objectives

END-06_A01 software, firmware and/or information requiring integrity verification tools to be employed to detect unauthorized changes is defined.
END-06_A02 actions to be taken when unauthorized changes to software, firmware and/or information are detected are defined.
END-06_A03 integrity verification tools are employed to detect unauthorized changes to software, firmware and/or information.
END-06_A04 actions are taken when unauthorized changes to the software, firmware and/or information are detected.

Evidence Requirements

E-END-01 Endpoint Security Tools: Documented evidence of endpoint security tools employed by the organization to ensure secure and compliant systems, applications and processes (e.g., antimalware, FIM, etc.).
Endpoint Security

Technology Recommendations

Micro/Small

File Integrity Monitor (FIM)
ManageEngine Endpoint Central (https://manageengine.com)

Small

File Integrity Monitor (FIM)
ManageEngine Endpoint Central (https://manageengine.com)

Medium

File Integrity Monitor (FIM)
ManageEngine Endpoint Central (https://manageengine.com)
CimTrak Integrity Suite (https://cimcor.com/cimtrak)
Netwrix Auditor (https://netrix.com)

Large

File Integrity Monitor (FIM)
ManageEngine Endpoint Central (https://manageengine.com)
CimTrak Integrity Suite (https://cimcor.com/cimtrak)
Netwrix Auditor (https://netrix.com)

Enterprise

File Integrity Monitor (FIM)
ManageEngine Endpoint Central (https://manageengine.com)
CimTrak Integrity Suite (https://cimcor.com/cimtrak)
Netwrix Auditor (https://netrix.com)