Skip to main content
MON

Continuous Monitoring

70 controls

Maintain situational awareness of security-related events through the centralized collection and analysis of event logs from systems, applications and services.

SCF # Control Name Weight NIST CSF Frameworks
MON-01 Continuous Monitoring 10 — Critical Govern 133
MON-01.1 Intrusion Detection & Prevention Systems (IDS & IPS) 9 — Critical Detect 51
MON-01.2 Automated Tools for Real-Time Analysis 9 — Critical Detect 57
MON-01.3 Inbound & Outbound Communications Traffic 9 — Critical Detect 48
MON-01.4 System Generated Alerts 7 — High Detect 74
MON-01.5 Wireless Intrusion Detection System (WIDS) 5 — Medium Detect 22
MON-01.6 Host-Based Devices 8 — High Detect 13
MON-01.7 File Integrity Monitoring (FIM) 9 — Critical Detect 34
MON-01.8 Security Event Monitoring 10 — Critical Detect 77
MON-01.9 Proxy Logging 8 — High Detect 6
MON-01.10 Deactivated Account Activity 9 — Critical Detect 3
MON-01.11 Automated Response to Suspicious Events 5 — Medium Detect 4
MON-01.12 Automated Alerts 5 — Medium Detect 22
MON-01.13 Alert Threshold Tuning 5 — Medium Detect 11
MON-01.14 Individuals Posing Greater Risk 5 — Medium Detect 14
MON-01.15 Privileged User Oversight 5 — Medium Detect 26
MON-01.16 Analyze and Prioritize Monitoring Requirements 5 — Medium Detect 92
MON-01.17 Real-Time Session Monitoring 4 — Medium Detect 3
MON-02 Centralized Collection of Security Event Logs 10 — Critical Detect 98
MON-02.1 Correlate Monitoring Information 9 — Critical Detect 68
MON-02.2 Central Review & Analysis 5 — Medium Detect 52
MON-02.3 Integration of Scanning & Other Monitoring Information 5 — Medium Detect 31
MON-02.4 Correlation with Physical Monitoring 5 — Medium Detect 16
MON-02.5 Permitted Actions 5 — Medium Protect 12
MON-02.6 Audit Level Adjustments 5 — Medium Detect 24
MON-02.7 System-Wide / Time-Correlated Audit Trail 5 — Medium Detect 37
MON-02.8 Changes by Authorized Individuals 5 — Medium Detect 13
MON-02.9 Inventory of Technology Asset Event Logging 7 — High Identify 1
MON-03 Content of Event Logs 10 — Critical Detect 101
MON-03.1 Sensitive Audit Information 8 — High Detect 29
MON-03.2 Audit Trails 10 — Critical Detect 33
MON-03.3 Privileged Functions Logging 8 — High Detect 31
MON-03.4 Verbosity Logging for Boundary Devices 5 — Medium Detect 2
MON-03.5 Limit Personal Data (PD) In Audit Records 8 — High Detect 4
MON-03.6 Centralized Management of Planned Audit Record Content 5 — Medium Detect 10
MON-03.7 Database Logging 8 — High Detect 6
MON-04 Event Log Storage Capacity 8 — High Detect 40
MON-05 Response To Event Log Processing Failures 8 — High Detect 51
MON-05.1 Real-Time Alerts of Event Logging Failure 6 — Medium Detect 15
MON-05.2 Event Log Storage Capacity Alerting 5 — Medium Detect 9
MON-06 Monitoring Reporting 7 — High Detect 60
MON-06.1 Query Parameter Audits of Personal Data (PD) 3 — Low Detect 3
MON-06.2 Trend Analysis Reporting 5 — Medium Detect 10
MON-07 Time Stamps 10 — Critical Detect 52
MON-07.1 Synchronization With Authoritative Time Source 8 — High Detect 46
MON-08 Protection of Event Logs 10 — Critical Detect 75
MON-08.1 Event Log Backup on Separate Physical Systems / Components 5 — Medium Detect 34
MON-08.2 Access by Subset of Privileged Users 8 — High Detect 42
MON-08.3 Cryptographic Protection of Event Log Information 5 — Medium Protect 16
MON-08.4 Dual Authorization for Event Log Movement 5 — Medium Protect 3
MON-09 Non-Repudiation 8 — High Protect 19
MON-09.1 Identity Binding 4 — Medium Protect 4
MON-10 Event Log Retention 10 — Critical Detect 77
MON-11 Monitoring For Information Disclosure 8 — High Detect 16
MON-11.1 Analyze Traffic for Covert Exfiltration 5 — Medium Detect 14
MON-11.2 Unauthorized Network Services 5 — Medium Detect 10
MON-11.3 Monitoring for Indicators of Compromise (IOC) 5 — Medium Detect 31
MON-12 Session Audit 7 — High Detect 12
MON-13 Alternate Event Logging Capability 3 — Low Detect 6
MON-14 Cross-Organizational Monitoring 3 — Low Detect 10
MON-14.1 Sharing of Event Logs 5 — Medium Detect 8
MON-15 Covert Channel Analysis 3 — Low Detect 9
MON-16 Anomalous Behavior 10 — Critical Detect 67
MON-16.1 Insider Threats 8 — High Detect 13
MON-16.2 Third-Party Threats 8 — High Detect 10
MON-16.3 Unauthorized Activities 8 — High Detect 17
MON-16.4 Account Creation and Modification Logging 7 — High Detect 7
MON-17 Event Log Analysis & Triage 7 — High Detect 7
MON-17.1 Event Log Review Escalation Matrix 7 — High Detect 2
MON-18 File Activity Monitoring (FAM) 5 — Medium Detect 1

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage SCF Controls in SCF Connect

Streamline your compliance program with automated control tracking, evidence management, and framework mapping.

Get Started Free