MON-01.16: Analyze and Prioritize Monitoring Requirements
Mechanisms exist to assess the organization's needs for monitoring and prioritize the monitoring of assets, based on asset criticality and the sensitivity of the data it stores, transmits and processes.
Control Question: Does the organization assess its needs for monitoring and prioritize the monitoring of assets, based on asset criticality and the sensitivity of the data it stores, transmits and processes?
General (22)
| Framework | Mapping Values |
|---|---|
| CSA CCM 4 | LOG-11 |
| CSA IoT SCF 2 | CLS-07 CLS-08 |
| MPA Content Security Program 5.1 | TS-1.11 |
| NIST 800-171 R2 (source) | 3.3.3 NFO-AU-1 |
| NIST 800-171 R3 (source) | 03.03.01.a 03.12.03 03.14.06.a |
| NIST 800-171A R3 (source) | A.03.14.06.a.01[01] A.03.14.06.a.01[02] A.03.14.06.a.02 |
| NIST 800-172 | 3.14.2e |
| NIST 800-207 | NIST Tenet 5 NIST Tenet 6 NIST Tenet 7 |
| NIST CSF 2.0 (source) | DE.AE DE.CM-01 DE.CM-03 DE.CM-06 DE.CM-09 PR.PS-04 |
| OWASP Top 10 2021 | A01:2021 A07:2021 A09:2021 |
| PCI DSS 4.0.1 (source) | 10.1 10.4.3 10.7 10.7.1 10.7.2 10.7.3 |
| PCI DSS 4.0.1 SAQ A-EP (source) | 10.4.3 |
| PCI DSS 4.0.1 SAQ C (source) | 10.4.3 |
| PCI DSS 4.0.1 SAQ D Merchant (source) | 10.4.3 10.7.2 10.7.3 |
| PCI DSS 4.0.1 SAQ D Service Provider (source) | 10.4.3 10.7.1 10.7.2 10.7.3 |
| SPARTA | CM0090 |
| SWIFT CSF 2023 | 6.4 |
| TISAX ISA 6 | 5.2.4 |
| SCF CORE Mergers, Acquisitions & Divestitures (MA&D) | MON-01 |
| SCF CORE ESP Level 1 Foundational | MON-01 |
| SCF CORE ESP Level 2 Critical Infrastructure | MON-01 |
| SCF CORE ESP Level 3 Advanced Threats | MON-01 |
US (39)
EMEA (21)
| Framework | Mapping Values |
|---|---|
| EMEA EU EBA GL/2019/04 | 3.4.5(39) 3.4.5(40) 3.5(52) |
| EMEA EU DORA | 10.3 |
| EMEA EU NIS2 Annex | 13.1.2(f) 2.2.3 3.2.1 3.2.2 3.2.6 |
| EMEA Austria | Sec 14 Sec 15 |
| EMEA Belgium | 16 |
| EMEA Germany Banking Supervisory Requirements for IT (BAIT) | 5.5 6.3 6.7 |
| EMEA Germany C5 2020 | OPS-10 |
| EMEA Israel CDMO 1.0 | 4.6 6.8 9.10 11.11 12.31 13.9 21.1 |
| EMEA Saudi Arabia CSCC-1 2019 | 2-11 |
| EMEA Saudi Arabia IoT CGIoT-1 2024 | 2-11-1 |
| EMEA Saudi Arabia ECC-1 2018 | 2-3-4 2-12-1 2-12-2 2-12-3 2-12-4 5-1-3-3 |
| EMEA Saudi Arabia OTCC-1 2022 | 2-11 2-11-1 2-11-2 |
| EMEA Saudi Arabia SACS-002 | TPC-40 TPC-80 |
| EMEA Saudi Arabia SAMA CSF 1.0 | 3.3.14 |
| EMEA South Africa | 19.1 19.2 |
| EMEA Spain BOE-A-2022-7191 | 10.1 21.2 24.1 |
| EMEA Spain 311/2022 | 10.1 21.2 24.1 |
| EMEA Spain CCN-STIC 825 | 7.3.8 [OP.EXP.8] |
| EMEA UK CAF 4.0 | C1 |
| EMEA UK CAP 1850 | C1 |
| EMEA UK DEFSTAN 05-138 | 2203 2427 3100 3101 3102 3106 |
APAC (6)
| Framework | Mapping Values |
|---|---|
| APAC Australia ISM June 2024 | ISM-0109 ISM-0120 ISM-0580 ISM-0660 ISM-1163 ISM-1294 ISM-1294 ISM-1586 |
| APAC Japan ISMAP | 12.4.1 12.4.1.15.PB 12.4.5.P |
| APAC New Zealand HISF 2022 | HHSP70 HML70 HMS18 HSUP61 |
| APAC New Zealand HISF Suppliers 2023 | HSUP61 |
| APAC New Zealand NZISM 3.6 | 16.6.6.C.01 16.6.6.C.02 16.6.8.C.01 16.6.10.C.01 16.6.10.C.02 |
| APAC Singapore MAS TRM 2021 | 12.2.1 12.2.2 12.2.3 |
Americas (4)
| Framework | Mapping Values |
|---|---|
| Americas Bermuda BMACCC | 6.21 |
| Americas Canada CSAG | 3.5 |
| Americas Canada OSFI B-13 | 3.3 3.3.1 3.3.2 |
| Americas Canada ITSP-10-171 | 03.03.01.A 03.12.03 03.14.06.A |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to assess its needs for monitoring and prioritize the monitoring of assets, based on asset criticality and the sensitivity of the data it stores, transmits and processes.
Level 1 — Performed Informally
C|P-CMM1 is N/A, since a structured process is required to assess its needs for monitoring and prioritize the monitoring of assets, based on asset criticality and the sensitivity of the data it stores, transmits and processes.
Level 2 — Planned & Tracked
Continuous Monitoring (MON) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for situational awareness management. o Configure alerts for critical or sensitive data that is stored, transmitted and processed on assets. o Use a structured process to review and analyze logs.
- Situational awareness management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
- Secure baseline configurations generate logs that contain sufficient information to establish necessary details of activity and allow for forensics analysis.
- IT/cybersecurity personnel:
- A log aggregator, or similar automated tool, provides an event log report generation capability to aid in detecting and assessing anomalous activities on business-critical systems.
Level 3 — Well Defined
Continuous Monitoring (MON) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Governs asset management that ensures compliance with requirements for asset management. o Leverages a Configuration Management Database (CMDB), or similar tool, as the authoritative source of IT assets. o Centrally collects logs and is protected according to the manufacturer’s security guidelines to protect the integrity of the event logs with cryptographic mechanisms. o Monitors the organization for Indicators of Compromise (IoC) and provides 24x7x365 near real-time alerting capability. o Is configured to alert incident response personnel of detected suspicious events such that incident responders can look to terminate suspicious events.
- An IT Asset Management (ITAM) function, or similar function:
- A Security Incident Event Manager (SIEM), or similar automated tool:
- Both inbound and outbound network traffic is monitored for unauthorized activities to identify prohibited activities and assist incident handlers with identifying potentially compromised systems.
Level 4 — Quantitatively Controlled
See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to assess its needs for monitoring and prioritize the monitoring of assets, based on asset criticality and the sensitivity of the data it stores, transmits and processes.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to assess its needs for monitoring and prioritize the monitoring of assets, based on asset criticality and the sensitivity of the data it stores, transmits and processes.
Assessment Objectives
- MON-01.16_A01 the organization formally identifies its needs for monitoring.
- MON-01.16_A02 monitoring needs are prioritized by asset, based on (1) asset criticality and (2) the sensitivity of the data it stores, transmits and processes.