MON-02.1: Correlate Monitoring Information
Automated mechanisms exist to correlate both technical and non-technical information from across the enterprise by a Security Incident Event Manager (SIEM) or similar automated tool, to enhance organization-wide situational awareness.
Control Question: Does the organization use automated mechanisms to correlate both technical and non-technical information from across the enterprise by a Security Incident Event Manager (SIEM) or similar automated tool, to enhance organization-wide situational awareness?
General (38)
| Framework | Mapping Values |
|---|---|
| AICPA TSC 2017:2022 (used for SOC 2) (source) | CC7.2 CC7.3 |
| CIS CSC 8.1 | 3.14 8.12 13.6 |
| CIS CSC 8.1 IG2 | 13.6 |
| CIS CSC 8.1 IG3 | 3.14 8.12 13.6 |
| COBIT 2019 | DSS06.05 |
| CSA CCM 4 | LOG-03 LOG-12 |
| GovRAMP Moderate | AU-06(03) SI-04(16) |
| GovRAMP High | AU-06(03) SI-04(16) |
| ISO 27002 2022 | 8.15 |
| MPA Content Security Program 5.1 | TS-1.5 TS-1.11 |
| NIST 800-53 R4 | AU-6(3) IR-4(4) SI-4(16) |
| NIST 800-53 R4 (moderate) | AU-6(3) |
| NIST 800-53 R4 (high) | AU-6(3) IR-4(4) |
| NIST 800-53 R5 (source) | AU-6(3) AU-6(9) IR-4(4) SI-4(16) |
| NIST 800-53B R5 (moderate) (source) | AU-6(3) |
| NIST 800-53B R5 (high) (source) | AU-6(3) IR-4(4) |
| NIST 800-53 R5 (NOC) (source) | SI-4(16) |
| NIST 800-82 R3 MODERATE OT Overlay | AU-6(3) |
| NIST 800-82 R3 HIGH OT Overlay | AU-6(3) IR-4(4) |
| NIST 800-161 R1 | AU-6(9) |
| NIST 800-161 R1 Level 3 | AU-6(9) |
| NIST 800-171 R2 (source) | 3.3.5 3.14.7 |
| NIST 800-171A (source) | 3.3.5[a] 3.3.5[b] 3.14.7[a] 3.14.7[b] |
| NIST 800-171 R3 (source) | 03.03.05.a 03.03.05.c |
| NIST 800-171A R3 (source) | A.03.03.05.c[02] |
| NIST 800-207 | NIST Tenet 5 NIST Tenet 7 |
| NIST CSF 2.0 (source) | DE.AE-03 DE.AE-06 |
| OWASP Top 10 2021 | A09:2021 |
| PCI DSS 4.0.1 (source) | 10.4.1.1 12.10.5 |
| PCI DSS 4.0.1 SAQ A-EP (source) | 10.4.1.1 |
| PCI DSS 4.0.1 SAQ C (source) | 10.4.1.1 |
| PCI DSS 4.0.1 SAQ D Merchant (source) | 10.4.1.1 12.10.5 |
| PCI DSS 4.0.1 SAQ D Service Provider (source) | 10.4.1.1 12.10.5 |
| TISAX ISA 6 | 5.2.4 |
| SCF CORE Mergers, Acquisitions & Divestitures (MA&D) | MON-02.1 |
| SCF CORE ESP Level 1 Foundational | MON-02.1 |
| SCF CORE ESP Level 2 Critical Infrastructure | MON-02.1 |
| SCF CORE ESP Level 3 Advanced Threats | MON-02.1 |
US (18)
| Framework | Mapping Values |
|---|---|
| US C2M2 2.1 | SITUATION-1.E.MIL2 SITUATION-3.E.MIL3 SITUATION-3.F.MIL3 |
| US CISA CPG 2022 | 2.T |
| US CJIS Security Policy 5.9.3 (source) | 5.4 5.4.1 5.4.3 |
| US CMMC 2.0 Level 2 (source) | AU.L2-3.3.5 SI.L2-3.14.7 |
| US CMMC 2.0 Level 3 (source) | AU.L2-3.3.5 SI.L2-3.14.7 |
| US CMS MARS-E 2.0 | AU-6(3) |
| US DoD Zero Trust Execution Roadmap | 3.5.1 3.5.2 4.4.3 4.4.4 4.4.5 4.4.6 7.2.2 |
| US DHS CISA TIC 3.0 | 3.UNI.SAWAR 3.UNL.CMREP |
| US DHS ZTCF | APP-02 BAS-02 SEC-01 SEC-05 |
| US FedRAMP R4 | AU-6(3) IR-4(4) SI-4(16) |
| US FedRAMP R4 (moderate) | AU-6(3) SI-4(16) |
| US FedRAMP R4 (high) | AU-6(3) IR-4(4) SI-4(16) |
| US FedRAMP R5 (source) | AU-6(3) IR-4(4) SI-4(16) |
| US FedRAMP R5 (moderate) (source) | AU-6(3) SI-4(16) |
| US FedRAMP R5 (high) (source) | AU-6(3) IR-4(4) SI-4(16) |
| US IRS 1075 | AU-6(3) AU-6(9) |
| US SSA EIESR 8.0 | 5.6 |
| US - TX TX-RAMP Level 2 | AU-6(3) SI-4(16) |
EMEA (6)
| Framework | Mapping Values |
|---|---|
| EMEA Germany C5 2020 | OPS-13 |
| EMEA Israel CDMO 1.0 | 4.6 12.17 21.6 21.12 21.13 21.19 |
| EMEA Saudi Arabia CSCC-1 2019 | 2-11-1-3 2-11-1-4 |
| EMEA Saudi Arabia OTCC-1 2022 | 2-11-1-4 2-11-1-5 2-11-1-6 2-11-1-7 2-11-1-8 2-11-1-10 |
| EMEA Saudi Arabia SACS-002 | TPC-81 |
| EMEA Saudi Arabia SAMA CSF 1.0 | 3.3.14 |
APAC (3)
| Framework | Mapping Values |
|---|---|
| APAC Australia ISM June 2024 | ISM-1228 |
| APAC New Zealand NZISM 3.6 | 16.6.14.C.01 18.4.12.C.01 |
| APAC Singapore MAS TRM 2021 | 12.2.5 |
Americas (3)
| Framework | Mapping Values |
|---|---|
| Americas Canada CSAG | 3.6 |
| Americas Canada OSFI B-13 | 3.3.1 |
| Americas Canada ITSP-10-171 | 03.03.05.A 03.03.05.C |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to correlate both technical and non-technical information from across the enterprise by a Security Incident Event Manager (SIEM) or similar automated tool, to enhance organization-wide situational awareness.
Level 1 — Performed Informally
C|P-CMM1 is N/A, since a structured process is required to correlate both technical and non-technical information from across the enterprise by a Security Incident Event Manager (SIEM) or similar automated tool, to enhance organization-wide situational awareness.
Level 2 — Planned & Tracked
Continuous Monitoring (MON) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for situational awareness management. o Configure alerts for critical or sensitive data that is stored, transmitted and processed on assets. o Use a structured process to review and analyze logs.
- Situational awareness management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
- Secure baseline configurations generate logs that contain sufficient information to establish necessary details of activity and allow for forensics analysis.
- IT/cybersecurity personnel:
- A log aggregator, or similar automated tool, provides an event log report generation capability to aid in detecting and assessing anomalous activities on business-critical systems.
Level 3 — Well Defined
Continuous Monitoring (MON) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Governs asset management that ensures compliance with requirements for asset management. o Leverages a Configuration Management Database (CMDB), or similar tool, as the authoritative source of IT assets. o Centrally collects logs and is protected according to the manufacturer’s security guidelines to protect the integrity of the event logs with cryptographic mechanisms. o Monitors the organization for Indicators of Compromise (IoC) and provides 24x7x365 near real-time alerting capability. o Is configured to alert incident response personnel of detected suspicious events such that incident responders can look to terminate suspicious events.
- An IT Asset Management (ITAM) function, or similar function:
- A Security Incident Event Manager (SIEM), or similar automated tool:
- Both inbound and outbound network traffic is monitored for unauthorized activities to identify prohibited activities and assist incident handlers with identifying potentially compromised systems.
Level 4 — Quantitatively Controlled
See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to correlate both technical and non-technical information from across the enterprise by a Security Incident Event Manager (SIEM) or similar automated tool, to enhance organization-wide situational awareness.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to correlate both technical and non-technical information from across the enterprise by a Security Incident Event Manager (SIEM) or similar automated tool, to enhance organization-wide situational awareness.
Assessment Objectives
- MON-02.1_A01 authorized use of the system is defined.
- MON-02.1_A02 unauthorized use of the system is identified.
- MON-02.1_A03 incident information and individual incident responses are correlated to achieve an organization-wide perspective on incident awareness and response.
- MON-02.1_A04 audit records across different repositories are correlated to gain organization-wide situational awareness.
- MON-02.1_A05 audit record review, analysis and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious or unusual activity are defined.
- MON-02.1_A06 defined audit record review, analysis and reporting processes are correlated.
Evidence Requirements
- E-MON-05 Centralized Event Log Collection
-
Documented evidence of security-relevant activities being logged and included as part of the centralized event log collection and review/analysis process.
Event Log Monitoring - E-MON-07 Situational Awareness
-
Documented evidence of the organization leveraging knowledge of event log generation to gain situational awareness of cross-domain activities (e.g., technology issues, security events, policy violations, service provider activities, remote workforce activities, physical security events, etc.).
Event Log Monitoring
Technology Recommendations
Micro/Small
- Managed Security Services Provider (MSSP)
Small
- Security Incident Event Manager (SIEM)
- Managed Security Services Provider (MSSP)
Medium
- Security Incident Event Manager (SIEM)
- Managed Security Services Provider (MSSP)
Large
- Security Incident Event Manager (SIEM)
- Managed Security Services Provider (MSSP)
Enterprise
- Security Incident Event Manager (SIEM)
- Managed Security Services Provider (MSSP)