MON-02: Centralized Collection of Security Event Logs
Mechanisms exist to utilize a Security Incident Event Manager (SIEM), or similar automated tool, to support the centralized collection of security-related event logs.
Control Question: Does the organization utilize a Security Incident Event Manager (SIEM) or similar automated tool, to support the centralized collection of security-related event logs?
General (51)
| Framework | Mapping Values |
|---|---|
| AICPA TSC 2017:2022 (used for SOC 2) (source) | CC7.2 CC7.2-POF1 CC7.3 |
| CIS CSC 8.1 | 3.14 8.1 8.2 8.3 8.4 8.5 8.6 8.7 8.8 8.9 8.12 13.1 |
| CIS CSC 8.1 IG1 | 8.1 8.2 8.3 |
| CIS CSC 8.1 IG2 | 8.1 8.2 8.3 8.4 8.5 8.6 8.7 8.8 8.9 13.1 |
| CIS CSC 8.1 IG3 | 3.14 8.1 8.2 8.3 8.4 8.5 8.6 8.7 8.8 8.9 8.12 13.1 |
| COBIT 2019 | DSS06.05 |
| CSA CCM 4 | LOG-03 |
| CSA IoT SCF 2 | CLS-08 MON-07 |
| ENISA 2.0 | SO17 SO20 SO21 |
| GovRAMP Core | SI-04 |
| GovRAMP Low | AU-02 AU-06 SI-04 |
| GovRAMP Low+ | AU-02 AU-06 SI-04 |
| GovRAMP Moderate | AU-02 AU-06 SI-04 |
| GovRAMP High | AU-02 AU-06 SI-04 |
| ISO 27002 2022 | 8.15 |
| MPA Content Security Program 5.1 | TS-1.5 TS-1.11 |
| NIST 800-53 R4 | AU-2 AU-2(3) AU-6 IR-4(4) SI-4 |
| NIST 800-53 R4 (low) | AU-2 AU-6 SI-4 |
| NIST 800-53 R4 (moderate) | AU-2 AU-2(3) AU-6 SI-4 |
| NIST 800-53 R4 (high) | AU-2 AU-2(3) AU-6 SI-4 |
| NIST 800-53 R5 (source) | AU-2 AU-6 IR-4(4) SI-4 |
| NIST 800-53B R5 (privacy) (source) | AU-2 |
| NIST 800-53B R5 (low) (source) | AU-2 AU-6 SI-4 |
| NIST 800-53B R5 (moderate) (source) | AU-2 AU-6 SI-4 |
| NIST 800-53B R5 (high) (source) | AU-2 AU-6 IR-4(4) SI-4 |
| NIST 800-82 R3 LOW OT Overlay | AU-2 AU-6 SI-4 |
| NIST 800-82 R3 MODERATE OT Overlay | AU-2 AU-6 SI-4 |
| NIST 800-82 R3 HIGH OT Overlay | AU-2 AU-6 IR-4(4) SI-4 |
| NIST 800-161 R1 | AU-2 AU-6 SI-4 |
| NIST 800-161 R1 C-SCRM Baseline | AU-2 AU-6 SI-4 |
| NIST 800-161 R1 Flow Down | AU-2 AU-6 SI-4 |
| NIST 800-161 R1 Level 1 | AU-2 SI-4 |
| NIST 800-161 R1 Level 2 | AU-2 AU-6 SI-4 |
| NIST 800-161 R1 Level 3 | AU-2 AU-6 SI-4 |
| NIST 800-171 R2 (source) | 3.3.1 3.3.3 3.3.5 3.3.6 3.3.8 3.3.9 |
| NIST 800-171 R3 (source) | 03.03.05.a 03.03.05.c |
| NIST 800-171A R3 (source) | A.03.03.05.ODP[01] A.03.03.05.a A.03.03.05.c[01] |
| NIST 800-207 | NIST Tenet 5 NIST Tenet 7 |
| NIST CSF 2.0 (source) | DE.AE-03 DE.AE-06 |
| OWASP Top 10 2021 | A09:2021 |
| PCI DSS 4.0.1 (source) | 10.3.3 10.4 10.4.1 10.4.1.1 |
| PCI DSS 4.0.1 SAQ A-EP (source) | 10.3.3 10.4.1 10.4.1.1 |
| PCI DSS 4.0.1 SAQ C (source) | 10.3.3 10.4.1 10.4.1.1 |
| PCI DSS 4.0.1 SAQ D Merchant (source) | 10.3.3 10.4.1 10.4.1.1 |
| PCI DSS 4.0.1 SAQ D Service Provider (source) | 10.3.3 10.4.1 10.4.1.1 |
| SWIFT CSF 2023 | 6.1 6.2 6.3 6.4 |
| TISAX ISA 6 | 5.2.4 |
| SCF CORE Mergers, Acquisitions & Divestitures (MA&D) | MON-02 |
| SCF CORE ESP Level 1 Foundational | MON-02 |
| SCF CORE ESP Level 2 Critical Infrastructure | MON-02 |
| SCF CORE ESP Level 3 Advanced Threats | MON-02 |
US (31)
| Framework | Mapping Values |
|---|---|
| US C2M2 2.1 | SITUATION-1.E.MIL2 |
| US CERT RMM 1.2 | COMP:SG2.SP1 COMP:SG3.SP1 MON:SG1.SP3 MON:SG2.SP3 MON:SG2.SP4 |
| US CISA CPG 2022 | 2.G 2.T |
| US CJIS Security Policy 5.9.3 (source) | 5.4 5.4.1 5.4.3 SI-4 |
| US CMMC 2.0 Level 2 (source) | AU.L2-3.3.1 AU.L2-3.3.3 AU.L2-3.3.5 AU.L2-3.3.6 AU.L2-3.3.8 AU.L2-3.3.9 |
| US CMMC 2.0 Level 3 (source) | AU.L2-3.3.1 AU.L2-3.3.3 AU.L2-3.3.5 AU.L2-3.3.6 AU.L2-3.3.8 AU.L2-3.3.9 |
| US CMS MARS-E 2.0 | AU-2 AU-2(3) AU-6 SI-4 |
| US DoD Zero Trust Execution Roadmap | 3.5.1 3.5.2 7.1 |
| US DHS CISA TIC 3.0 | 3.UNI.CLMAN |
| US DHS ZTCF | APP-02 SEC-01 SEC-05 |
| US FDA 21 CFR Part 11 | 11.10 11.10(b) 11.10(c) 11.10(e) |
| US FedRAMP R4 | AU-2 AU-6 SI-4 |
| US FedRAMP R4 (low) | AU-2 AU-6 SI-4 |
| US FedRAMP R4 (moderate) | AU-2 AU-6 SI-4 |
| US FedRAMP R4 (high) | AU-2 AU-6 SI-4 |
| US FedRAMP R4 (LI-SaaS) | AU-2 AU-6 SI-4 |
| US FedRAMP R5 (source) | AU-2 AU-6 SI-4 |
| US FedRAMP R5 (low) (source) | AU-2 AU-6 SI-4 |
| US FedRAMP R5 (moderate) (source) | AU-2 AU-6 SI-4 |
| US FedRAMP R5 (high) (source) | AU-2 AU-6 SI-4 |
| US FedRAMP R5 (LI-SaaS) (source) | AU-2 AU-6 SI-4 |
| US IRS 1075 | AU-2 AU-6 SI-4 |
| US NISPOM 2020 | 8-602 |
| US SSA EIESR 8.0 | 5.4 |
| US - CA CCPA 2025 | 7123(c)(7) |
| US - MA 201 CMR 17.00 | 17.03(2)(b)(3) 17.04(4) |
| US - NY DFS 23 NYCRR500 2023 Amd 2 | 500.14(b)(2) 500.6(a)(2) |
| US - OR 646A | 622(2)(d)(B)(iii) |
| US - TX DIR Control Standards 2.0 | AU-2 AU-6 SI-4 |
| US - TX TX-RAMP Level 1 | AU-2 AU-6 SI-4 |
| US - TX TX-RAMP Level 2 | AU-2 AU-2(3) AU-6 SI-4 |
EMEA (9)
| Framework | Mapping Values |
|---|---|
| EMEA EU EBA GL/2019/04 | 3.5(52) |
| EMEA EU NIS2 Annex | 3.2.6 |
| EMEA Germany C5 2020 | OPS-14 |
| EMEA Israel CDMO 1.0 | 4.6 12.17 21.3 21.4 21.6 21.12 |
| EMEA Saudi Arabia CSCC-1 2019 | 2-11-1-3 2-11-1-4 |
| EMEA Saudi Arabia OTCC-1 2022 | 2-11-1-3 2-11-1-9 |
| EMEA Saudi Arabia SACS-002 | TPC-81 |
| EMEA Saudi Arabia SAMA CSF 1.0 | 3.3.14 |
| EMEA UK CAP 1850 | C1 C2 |
APAC (3)
| Framework | Mapping Values |
|---|---|
| APAC Australia ISM June 2024 | ISM-0109 ISM-1228 ISM-1405 ISM-1536 ISM-1537 ISM-1566 ISM-1650 |
| APAC New Zealand NZISM 3.6 | 16.6.11.C.01 16.6.11.C.02 16.6.11.C.03 16.6.12.C.01 16.6.12.C.02 16.6.12.C.03 |
| APAC Singapore MAS TRM 2021 | 9.1.3 |
Americas (4)
| Framework | Mapping Values |
|---|---|
| Americas Bermuda BMACCC | 6.21 |
| Americas Canada CSAG | 3.2 |
| Americas Canada OSFI B-13 | 3.3.1 |
| Americas Canada ITSP-10-171 | 03.03.05.A 03.03.05.C |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to utilize a Security Incident Event Manager (SIEM) or similar automated tool, to support the centralized collection of security-related event logs.
Level 1 — Performed Informally
C|P-CMM1 is N/A, since a structured process is required to utilize a Security Incident Event Manager (SIEM) or similar automated tool, to support the centralized collection of security-related event logs.
Level 2 — Planned & Tracked
Continuous Monitoring (MON) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for situational awareness management. o Configure alerts for critical or sensitive data that is stored, transmitted and processed on assets. o Use a structured process to review and analyze logs.
- Situational awareness management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
- Secure baseline configurations generate logs that contain sufficient information to establish necessary details of activity and allow for forensics analysis.
- IT/cybersecurity personnel:
- A log aggregator, or similar automated tool, provides an event log report generation capability to aid in detecting and assessing anomalous activities on business-critical systems.
Level 3 — Well Defined
Continuous Monitoring (MON) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Governs asset management that ensures compliance with requirements for asset management. o Leverages a Configuration Management Database (CMDB), or similar tool, as the authoritative source of IT assets. o Centrally collects logs and is protected according to the manufacturer’s security guidelines to protect the integrity of the event logs with cryptographic mechanisms. o Monitors the organization for Indicators of Compromise (IoC) and provides 24x7x365 near real-time alerting capability. o Is configured to alert incident response personnel of detected suspicious events such that incident responders can look to terminate suspicious events.
- An IT Asset Management (ITAM) function, or similar function:
- A Security Incident Event Manager (SIEM), or similar automated tool:
- Both inbound and outbound network traffic is monitored for unauthorized activities to identify prohibited activities and assist incident handlers with identifying potentially compromised systems.
Level 4 — Quantitatively Controlled
Continuous Monitoring (MON) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
- Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
- Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
- Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
- Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
- Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to utilize a Security Incident Event Manager (SIEM) or similar automated tool, to support the centralized collection of security-related event logs.
Assessment Objectives
- MON-02_A01 the frequency at which system audit records are reviewed and analyzed is defined.
- MON-02_A02 system audit records are reviewed and analyzed per an organization-defined frequency for indications and the potential impact of inappropriate or unusual activity.
- MON-02_A03 audit records across different repositories are analyzed to gain organization-wide situational awareness.
- MON-02_A04 automated mechanisms used for integrating audit record review, analysis and reporting processes are defined.
- MON-02_A05 audit record review, analysis and reporting processes are integrated using organization-defined automated mechanisms.
- MON-02_A06 the frequency or situation requiring logging for each specified event type is defined.
- MON-02_A07 the event logging function is coordinated with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged.
- MON-02_A08 the event types selected for logging are reviewed / updated organization-defined frequency.
- MON-02_A09 a rationale is provided for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents.
- MON-02_A10 system audit records are reviewed and analyzed per an organization-defined frequency for indications of organization-defined inappropriate or unusual activity and the potential impact of the inappropriate or unusual activity.
- MON-02_A11 findings are reported to organization-defined personnel or roles.
- MON-02_A12 the level of audit record review, analysis and reporting within the system is adjusted when there is a change in risk based on law enforcement information, intelligence information or other credible sources of information.
- MON-02_A13 system audit records are reviewed and analyzed <A.03.03.05.ODP[01]: frequency> for indications and the potential impact of inappropriate or unusual activity.
Evidence Requirements
- E-MON-01 Event Log Review & Analysis
-
Documented evidence of security event log review and analysis (e.g., system monitoring records).
Event Log Monitoring - E-MON-05 Centralized Event Log Collection
-
Documented evidence of security-relevant activities being logged and included as part of the centralized event log collection and review/analysis process.
Event Log Monitoring
Technology Recommendations
Micro/Small
- Centralized log collector
- Managed Security Services Provider (MSSP)
Small
- Centralized log collector
- Managed Security Services Provider (MSSP)
Medium
- Centralized log collector
- Security Incident Event Manager (SIEM)
- Managed Security Services Provider (MSSP)
Large
- Security Incident Event Manager (SIEM)
- Managed Security Services Provider (MSSP)
Enterprise
- Security Incident Event Manager (SIEM)
- Managed Security Services Provider (MSSP)