MON-01.7: File Integrity Monitoring (FIM)
Mechanisms exist to utilize a File Integrity Monitor (FIM), or similar change-detection technology, on critical Technology Assets, Applications and/or Services (TAAS) to generate alerts for unauthorized modifications.
Control Question: Does the organization utilize a File Integrity Monitor (FIM), or similar change-detection technology, on critical Technology Assets, Applications and/or Services (TAAS) to generate alerts for unauthorized modifications?
General (23)
| Framework | Mapping Values |
|---|---|
| AICPA TSC 2017:2022 (used for SOC 2) (source) | CC6.8 CC7.1 CC7.1-POF2 CC7.1-POF3 CC7.1-POF4 |
| CSA IoT SCF 2 | SAP-06 |
| ENISA 2.0 | SO12 |
| GovRAMP High | SI-04(24) |
| IEC 62443-4-2 2019 | FR 3 (7.1) CR 3.4 (7.6.3(2)) |
| MITRE ATT&CK 10 | T1003, T1003.003, T1020.001, T1027, T1027.002, T1036, T1036.001, T1036.005, T1037, T1037.002, T1037.003, T1037.004, T1037.005, T1040, T1047, T1053.006, T1056.002, T1059, T1059.001, T1059.002, T1059.003, T1059.004, T1059.005, T1059.006, T1059.007, T1059.008, T1068, T1070, T1070.001, T1070.002, T1070.003, T1072, T1080, T1098.001, T1098.002, T1098.003, T1114, T1114.001, T1114.002, T1114.003, T1119, T1127, T1129, T1133, T1136, T1136.001, T1136.002, T1136.003, T1176, T1185, T1189, T1190, T1195.003, T1203, T1204, T1204.002, T1204.003, T1210, T1211, T1212, T1213, T1213.001, T1213.002, T1216, T1216.001, T1218, T1218.001, T1218.002, T1218.003, T1218.004, T1218.005, T1218.008, T1218.009, T1218.010, T1218.011, T1218.012, T1218.013, T1218.014, T1219, T1220, T1221, T1222, T1222.001, T1222.002, T1485, T1486, T1490, T1491, T1491.001, T1491.002, T1495, T1505, T1505.001, T1505.002, T1505.004, T1525, T1530, T1542, T1542.001, T1542.003, T1542.004, T1542.005, T1543, T1543.002, T1546, T1546.002, T1546.004, T1546.006, T1546.008, T1546.009, T1546.010, T1546.013, T1547.002, T1547.003, T1547.004, T1547.005, T1547.006, T1547.008, T1547.011, T1547.013, T1548, T1548.004, T1550.001, T1550.004, T1552, T1552.004, T1553, T1553.001, T1553.003, T1553.005, T1553.006, T1554, T1556, T1556.001, T1556.003, T1556.004, T1557, T1557.002, T1558, T1558.002, T1558.003, T1558.004, T1561, T1561.001, T1561.002, T1562, T1562.001, T1562.002, T1562.004, T1562.006, T1562.009, T1564.003, T1564.004, T1564.006, T1564.008, T1564.009, T1565, T1565.001, T1565.002, T1569, T1569.002, T1574, T1574.001, T1574.004, T1574.006, T1574.007, T1574.008, T1574.009, T1574.012, T1599, T1599.001, T1601, T1601.001, T1601.002, T1602, T1602.001, T1602.002, T1609, T1611 |
| MPA Content Security Program 5.1 | TS-2.6 |
| NIST Privacy Framework 1.0 | PR.DS-P6 |
| NIST 800-53 R5 (source) | SI-4(24) |
| NIST 800-53 R5 (NOC) (source) | SI-4(24) |
| NIST CSF 2.0 (source) | DE.CM-09 |
| OWASP Top 10 2021 | A01:2021 A02:2021 A05:2021 A08:2021 A09:2021 |
| PCI DSS 4.0.1 (source) | 10.3.4 10.4 11.5 11.5.2 11.6.1 |
| PCI DSS 4.0.1 SAQ A (source) | 11.6.1 |
| PCI DSS 4.0.1 SAQ A-EP (source) | 10.3.4 11.5.2 11.6.1 |
| PCI DSS 4.0.1 SAQ C (source) | 10.3.4 11.5.2 |
| PCI DSS 4.0.1 SAQ D Merchant (source) | 10.3.4 11.5.2 11.6.1 |
| PCI DSS 4.0.1 SAQ D Service Provider (source) | 10.3.4 11.5.2 11.6.1 |
| SWIFT CSF 2023 | 6.2 |
| SCF CORE Mergers, Acquisitions & Divestitures (MA&D) | MON-01.7 |
| SCF CORE ESP Level 1 Foundational | MON-01.7 |
| SCF CORE ESP Level 2 Critical Infrastructure | MON-01.7 |
| SCF CORE ESP Level 3 Advanced Threats | MON-01.7 |
US (7)
| Framework | Mapping Values |
|---|---|
| US DoD Zero Trust Execution Roadmap | 2.3.3 2.3.5 |
| US DHS ZTCF | APP-02 |
| US HIPAA Administrative Simplification 2013 (source) | 164.312(c)(2) |
| US HIPAA Security Rule / NIST SP 800-66 R2 (source) | 164.312(c)(2) |
| US HIPAA HICP Large Practice | 2.L.D |
| US IRS 1075 | SI-4(24) |
| US NISPOM 2020 | 8-613 |
EMEA (3)
| Framework | Mapping Values |
|---|---|
| EMEA EU EBA GL/2019/04 | 3.4.4(36)(e) |
| EMEA Israel CDMO 1.0 | 6.4 12.19 |
| EMEA Saudi Arabia OTCC-1 2022 | 1-5-4 |
APAC (1)
| Framework | Mapping Values |
|---|---|
| APAC New Zealand NZISM 3.6 | 16.6.10.C.01 16.6.10.C.02 |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to utilize a File Integrity monitor (FIM), or similar change-detection technology, on critical Technology Assets, Applications and/or Services (TAAS) to generate alerts for unauthorized modifications.
Level 1 — Performed Informally
Continuous Monitoring (MON) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Generating event logs and the review of event logs is narrowly-focused to business-critical systems and/ or systems that store, processes and/ or transmit sensitive/regulated data.
- Secure baseline configurations generate logs that contain sufficient information to establish necessary details of activity and allow for forensics analysis.
Level 2 — Planned & Tracked
Continuous Monitoring (MON) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for situational awareness management. o Configure alerts for critical or sensitive data that is stored, transmitted and processed on assets. o Use a structured process to review and analyze logs.
- Situational awareness management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
- Secure baseline configurations generate logs that contain sufficient information to establish necessary details of activity and allow for forensics analysis.
- IT/cybersecurity personnel:
- A log aggregator, or similar automated tool, provides an event log report generation capability to aid in detecting and assessing anomalous activities on business-critical systems.
Level 3 — Well Defined
Continuous Monitoring (MON) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Governs asset management that ensures compliance with requirements for asset management. o Leverages a Configuration Management Database (CMDB), or similar tool, as the authoritative source of IT assets. o Centrally collects logs and is protected according to the manufacturer’s security guidelines to protect the integrity of the event logs with cryptographic mechanisms. o Monitors the organization for Indicators of Compromise (IoC) and provides 24x7x365 near real-time alerting capability. o Is configured to alert incident response personnel of detected suspicious events such that incident responders can look to terminate suspicious events.
- An IT Asset Management (ITAM) function, or similar function:
- A Security Incident Event Manager (SIEM), or similar automated tool:
- Both inbound and outbound network traffic is monitored for unauthorized activities to identify prohibited activities and assist incident handlers with identifying potentially compromised systems.
Level 4 — Quantitatively Controlled
See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to utilize a File Integrity monitor (FIM), or similar change-detection technology, on critical Technology Assets, Applications and/or Services (TAAS) to generate alerts for unauthorized modifications.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to utilize a File Integrity monitor (FIM), or similar change-detection technology, on critical Technology Assets, Applications and/or Services (TAAS) to generate alerts for unauthorized modifications.
Assessment Objectives
- MON-01.7_A01 integrity verification tools are employed to detect unauthorized changes to organization-defined software, firmware and/or information.
- MON-01.7_A02 organization-defined actions are taken when unauthorized changes to the software, firmware and/or information, are detected;
Evidence Requirements
- E-MON-08 Integrity Monitoring
-
Documented evidence of integrity monitoring, where files and/or configurations on critical systems, applications and/or services are actively monitored for changes that could indicate unauthorized changes.
Event Log Monitoring
Technology Recommendations
Medium
- File Integrity Monitor (FIM)
- CimTrak Integrity Suite (https://cimcor.com/cimtrak)
Large
- File Integrity Monitor (FIM)
- CimTrak Integrity Suite (https://cimcor.com/cimtrak)
Enterprise
- File Integrity Monitor (FIM)
- CimTrak Integrity Suite (https://cimcor.com/cimtrak)