MON-01.15: Privileged User Oversight
Mechanisms exist to implement enhanced activity monitoring for privileged users.
Control Question: Does the organization implement enhanced activity monitoring for privileged users?
General (13)
| Framework | Mapping Values |
|---|---|
| CIS CSC 8.1 | 3.14 |
| CIS CSC 8.1 IG3 | 3.14 |
| CSA CCM 4 | IAM-09 IAM-10 IAM-11 LOG-11 |
| CSA IoT SCF 2 | CLS-07 |
| GovRAMP High | SI-04(20) |
| NIST 800-53 R4 | SI-4(20) |
| NIST 800-53 R5 (source) | SI-4(20) |
| NIST 800-53B R5 (high) (source) | SI-4(20) |
| NIST 800-82 R3 HIGH OT Overlay | SI-4(20) |
| NIST 800-171 R3 (source) | 03.01.07.b |
| SCF CORE Mergers, Acquisitions & Divestitures (MA&D) | MON-01.15 |
| SCF CORE ESP Level 2 Critical Infrastructure | MON-01.15 |
| SCF CORE ESP Level 3 Advanced Threats | MON-01.15 |
US (8)
| Framework | Mapping Values |
|---|---|
| US DHS ZTCF | BAS-02 SEC-01 |
| US FedRAMP R4 | SI-4(20) |
| US FedRAMP R4 (high) | SI-4(20) |
| US FedRAMP R5 (source) | SI-4(20) |
| US FedRAMP R5 (high) (source) | SI-4(20) |
| US HIPAA Administrative Simplification 2013 (source) | 164.312(c)(2) |
| US HIPAA Security Rule / NIST SP 800-66 R2 (source) | 164.312(c)(2) |
| US - NY DFS 23 NYCRR500 2023 Amd 2 | 500.7(c) |
EMEA (4)
| Framework | Mapping Values |
|---|---|
| EMEA Germany Banking Supervisory Requirements for IT (BAIT) | 6.7 |
| EMEA Saudi Arabia ECC-1 2018 | 2-12-3-2 |
| EMEA Saudi Arabia SACS-002 | TPC-83 |
| EMEA UK DEFSTAN 05-138 | 2203 |
Americas (1)
| Framework | Mapping Values |
|---|---|
| Americas Canada ITSP-10-171 | 03.01.07.B |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to implement enhanced activity monitoring for privileged users.
Level 1 — Performed Informally
C|P-CMM1 is N/A, since a structured process is required to implement enhanced activity monitoring for privileged users.
Level 2 — Planned & Tracked
C|P-CMM2 is N/A, since a well-defined process is required to implement enhanced activity monitoring for privileged users.
Level 3 — Well Defined
Continuous Monitoring (MON) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Governs asset management that ensures compliance with requirements for asset management. o Leverages a Configuration Management Database (CMDB), or similar tool, as the authoritative source of IT assets. o Centrally collects logs and is protected according to the manufacturer’s security guidelines to protect the integrity of the event logs with cryptographic mechanisms. o Monitors the organization for Indicators of Compromise (IoC) and provides 24x7x365 near real-time alerting capability. o Is configured to alert incident response personnel of detected suspicious events such that incident responders can look to terminate suspicious events.
- An IT Asset Management (ITAM) function, or similar function:
- A Security Incident Event Manager (SIEM), or similar automated tool:
- Human Resources (HR) and Legal departments determine what is legally-allowable to support enhanced monitoring for individuals who pose a greater risk to the organization, including privileged users.
- A Security Operations Center (SOC), or similar capability, configures monitoring technologies to implement the enhanced monitoring profiles for selected users and establish a reporting capability to designated personnel.
Level 4 — Quantitatively Controlled
Continuous Monitoring (MON) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
- Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
- Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
- Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
- Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
- Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving
Continuous Monitoring (MON) efforts are “world-class” capabilities that leverage predictive analysis (e.g., machine learning, AI, etc.). In addition to CMM Level 4 criteria, CMM Level 5 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions.
- Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes.
Assessment Objectives
- MON-01.15_A01 additional monitoring of privileged users is defined.
- MON-01.15_A02 additional monitoring of privileged users is implemented.
Evidence Requirements
- E-MON-03 Privileged User Oversight
-
Documented evidence of privileged user activity being logged and included as part of the centralized event log collection and review/analysis process.
Event Log Monitoring
Technology Recommendations
Micro/Small
- Managed Security Services Provider (MSSP)
Small
- Security Incident Event Manager (SIEM)
- Managed Security Services Provider (MSSP)
Medium
- Security Incident Event Manager (SIEM)
- Managed Security Services Provider (MSSP)
Large
- Security Incident Event Manager (SIEM)
- Managed Security Services Provider (MSSP)
Enterprise
- Security Incident Event Manager (SIEM)
- Managed Security Services Provider (MSSP)