Skip to main content

MON-01.4: System Generated Alerts

MON 7 — High Detect

Mechanisms exist to generate, monitor, correlate and respond to alerts from physical, cybersecurity, data protection and supply chain activities to achieve integrated situational awareness.

Control Question: Does the organization generate, monitor, correlate and respond to alerts from physical, cybersecurity, data protection and supply chain activities to achieve integrated situational awareness?

General (38)
Framework Mapping Values
AICPA TSC 2017:2022 (used for SOC 2) (source) CC7.2 CC7.2-POF2
CIS CSC 8.1 8.2
CIS CSC 8.1 IG2 8.4
CIS CSC 8.1 IG3 8.4
COBIT 2019 DSS06.05
CSA CCM 4 LOG-03
CSA IoT SCF 2 CLS-08 MON-03
GovRAMP Moderate SI-04(05)
GovRAMP High SI-04(05)
IEC 62443-4-2 2019 CR 2.8 (6.10.1)
IMO Maritime Cyber Risk Management 3.5.3.3
ISO 27002 2022 8.15
ISO 27017 2015 12.4.1
NIST 800-53 R4 SI-4(5)
NIST 800-53 R4 (moderate) SI-4(5)
NIST 800-53 R4 (high) SI-4(5)
NIST 800-53 R5 (source) SI-4(5)
NIST 800-53B R5 (moderate) (source) SI-4(5)
NIST 800-53B R5 (high) (source) SI-4(5)
NIST 800-82 R3 MODERATE OT Overlay SI-4(5)
NIST 800-82 R3 HIGH OT Overlay SI-4(5)
NIST 800-171 R2 (source) NFO-SI-4(5)
NIST 800-171 R3 (source) 03.03.01.a 03.03.03.a 03.14.06.a.01 03.14.06.b 03.14.06.c
NIST 800-171A R3 (source) A.03.03.02.a.01 A.03.03.03.a
NIST 800-207 NIST Tenet 7
NIST CSF 2.0 (source) DE.CM-01 PR.PS-04
OWASP Top 10 2021 A01:2021 A07:2021 A09:2021
PCI DSS 4.0.1 (source) 10.2 10.4 10.4.1 10.4.1.1 10.4.3 10.7 10.7.1 10.7.2 10.7.3
PCI DSS 4.0.1 SAQ A-EP (source) 10.4.1 10.4.1.1 10.4.3
PCI DSS 4.0.1 SAQ C (source) 10.4.1 10.4.1.1 10.4.3
PCI DSS 4.0.1 SAQ D Merchant (source) 10.4.1 10.4.1.1 10.4.3 10.7.2 10.7.3
PCI DSS 4.0.1 SAQ D Service Provider (source) 10.4.1 10.4.1.1 10.4.3 10.7.1 10.7.2 10.7.3
TISAX ISA 6 5.2.4
SCF CORE Mergers, Acquisitions & Divestitures (MA&D) MON-01.4
SCF CORE ESP Level 1 Foundational MON-01.4
SCF CORE ESP Level 2 Critical Infrastructure MON-01.4
SCF CORE ESP Level 3 Advanced Threats MON-01.4
SCF CORE AI Model Deployment MON-01.4
US (22)
Framework Mapping Values
US C2M2 2.1 SITUATION-1.A.MIL1 SITUATION-1.B.MIL2 SITUATION-1.C.MIL2 SITUATION-1.D.MIL2 SITUATION-1.F.MIL3
US CISA CPG 2022 2.G 2.T
US CJIS Security Policy 5.9.3 (source) 5.4.1 5.4.1.1 5.4.1.1.1 SI-4(5)
US CMS MARS-E 2.0 SI-4(5)
US DHS CISA SSDAF 1.b.ii
US DHS CISA TIC 3.0 3.UNI.AACCO
US DHS ZTCF APP-02 SEC-01
US EO 14028 4e(i)(B)
US FedRAMP R4 SI-4(5)
US FedRAMP R4 (moderate) SI-4(5)
US FedRAMP R4 (high) SI-4(5)
US FedRAMP R5 (source) SI-4(5)
US FedRAMP R5 (moderate) (source) SI-4(5)
US FedRAMP R5 (high) (source) SI-4(5)
US HIPAA Administrative Simplification 2013 (source) 164.312(b)
US HIPAA Security Rule / NIST SP 800-66 R2 (source) 164.312(b)
US IRS 1075 SI-4(5)
US NERC CIP 2024 (source) CIP-007-6 4.1 CIP-007-6 4.2
US SSA EIESR 8.0 5.4 5.6
US TSA / DHS 1580/82-2022-01 III.D.3.a
US - CA CCPA 2025 7123(c)(7)
US - TX TX-RAMP Level 2 SI-4(5)
EMEA (9)
Framework Mapping Values
EMEA EU AI Act 12.1
EMEA Germany C5 2020 OPS-13
EMEA Israel CDMO 1.0 21.2 21.4
EMEA Saudi Arabia CSCC-1 2019 2-11-1-1
EMEA Saudi Arabia ECC-1 2018 2-12-3-1
EMEA Saudi Arabia SACS-002 TPC-80 TPC-87
EMEA Spain CCN-STIC 825 7.3.8 [OP.EXP.8]
EMEA UK CAF 4.0 C1.a C1.c
EMEA UK DEFSTAN 05-138 3101
APAC (3)
Framework Mapping Values
APAC Japan ISMAP 12.4.1 12.4.1.15.PB
APAC New Zealand HISF 2022 HHSP69 HML68 HSUP60
APAC New Zealand HISF Suppliers 2023 HSUP60
Americas (2)
Framework Mapping Values
Americas Canada CSAG 3.6
Americas Canada ITSP-10-171 03.03.01.A 03.03.03.A 03.14.06.A.01 03.14.06.B 03.14.06.C

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to generate, monitor, correlate and respond to alerts from physical, cybersecurity, data protection and supply chain activities to achieve integrated situational awareness.

Level 1 — Performed Informally

Continuous Monitoring (MON) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Generating event logs and the review of event logs is narrowly-focused to business-critical systems and/ or systems that store, processes and/ or transmit sensitive/regulated data.
  • Secure baseline configurations generate logs that contain sufficient information to establish necessary details of activity and allow for forensics analysis.
Level 2 — Planned & Tracked

Continuous Monitoring (MON) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for situational awareness management. o Configure alerts for critical or sensitive data that is stored, transmitted and processed on assets. o Use a structured process to review and analyze logs.

  • Situational awareness management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
  • Secure baseline configurations generate logs that contain sufficient information to establish necessary details of activity and allow for forensics analysis.
  • IT/cybersecurity personnel:
  • A log aggregator, or similar automated tool, provides an event log report generation capability to aid in detecting and assessing anomalous activities on business-critical systems.
Level 3 — Well Defined

Continuous Monitoring (MON) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Governs asset management that ensures compliance with requirements for asset management. o Leverages a Configuration Management Database (CMDB), or similar tool, as the authoritative source of IT assets. o Centrally collects logs and is protected according to the manufacturer’s security guidelines to protect the integrity of the event logs with cryptographic mechanisms. o Monitors the organization for Indicators of Compromise (IoC) and provides 24x7x365 near real-time alerting capability. o Is configured to alert incident response personnel of detected suspicious events such that incident responders can look to terminate suspicious events.

  • An IT Asset Management (ITAM) function, or similar function:
  • A Security Incident Event Manager (SIEM), or similar automated tool:
  • Both inbound and outbound network traffic is monitored for unauthorized activities to identify prohibited activities and assist incident handlers with identifying potentially compromised systems.
Level 4 — Quantitatively Controlled

See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to generate, monitor, correlate and respond to alerts from physical, cybersecurity, data protection and supply chain activities to achieve integrated situational awareness.

Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to generate, monitor, correlate and respond to alerts from physical, cybersecurity, data protection and supply chain activities to achieve integrated situational awareness.

Assessment Objectives

  1. MON-01.4_A01 audit records contain information that establishes what type of event occurred.
  2. MON-01.4_A02 audit records for the selected event types and audit record content are generated.
  3. MON-01.4_A03 personnel or roles to be alerted when indications of compromise or potential compromise occur is/are defined.
  4. MON-01.4_A04 compromise indicators are defined.
  5. MON-01.4_A05 personnel or roles are alerted when system-generated compromise indicators occur.
  6. MON-01.4_A06 audit records for the selected event types and audit record content specified in 03.03.01 and 03.03.02 are generated.

Evidence Requirements

E-END-03 Antimalware Scanning Results

Documented evidence of scan results from malicious code protection mechanisms.

Endpoint Security
E-MON-01 Event Log Review & Analysis

Documented evidence of security event log review and analysis (e.g., system monitoring records).

Event Log Monitoring
E-MON-06 Automated Event Escalation & Reporting

Documented evidence of a capability for selected events to alert applicable personnel, or roles, based on the type of event. This can be demonstrated by the configuration of a Security Incident Event Manager (SIEM), or similar technology, that helps automate event log analysis and reporting.

Event Log Monitoring
E-MON-07 Situational Awareness

Documented evidence of the organization leveraging knowledge of event log generation to gain situational awareness of cross-domain activities (e.g., technology issues, security events, policy violations, service provider activities, remote workforce activities, physical security events, etc.).

Event Log Monitoring

Technology Recommendations

Micro/Small

  • Secure Baseline Configurations (SBC)

Small

  • Secure Baseline Configurations (SBC)

Medium

  • Secure Baseline Configurations (SBC)

Large

  • Secure Baseline Configurations (SBC)

Enterprise

  • Secure Baseline Configurations (SBC)

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free