MON-14.1: Sharing of Event Logs

There is no evidence of a capability to share event logs with third-party organizations based on specific cross-organizational sharing agreements.

C|P-CMM1 is N/A, since a structured process is required to share event logs with third-party organizations based on specific cross-organizational sharing agreements.

Continuous Monitoring (MON) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for situational awareness management. o Configure alerts for critical or sensitive data that is stored, transmitted and processed on assets. o Use a structured process to review and analyze logs.

• Situational awareness management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
• Secure baseline configurations generate logs that contain sufficient information to establish necessary details of activity and allow for forensics analysis.
• IT/cybersecurity personnel:
• A log aggregator, or similar automated tool, provides an event log report generation capability to aid in detecting and assessing anomalous activities on business-critical systems.
• A formal agreement exists between the organization and applicable third-parties that includes a Non-Disclosure Agreement (NDA) addressing shared sensitive data.
• the organization sets specific parameters on what type of audit information is permitted to be shared and what cannot be shared with third-parties, even with a NDA in place.

Continuous Monitoring (MON) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Governs asset management that ensures compliance with requirements for asset management. o Leverages a Configuration Management Database (CMDB), or similar tool, as the authoritative source of IT assets. o Centrally collects logs and is protected according to the manufacturer’s security guidelines to protect the integrity of the event logs with cryptographic mechanisms. o Monitors the organization for Indicators of Compromise (IoC) and provides 24x7x365 near real-time alerting capability. o Is configured to alert incident response personnel of detected suspicious events such that incident responders can look to terminate suspicious events.

• An IT Asset Management (ITAM) function, or similar function:
• A Security Incident Event Manager (SIEM), or similar automated tool:
• Both inbound and outbound network traffic is monitored for unauthorized activities to identify prohibited activities and assist incident handlers with identifying potentially compromised systems.
• A formal agreement exists between the organization and applicable third-parties that includes a Non-Disclosure Agreement (NDA) addressing shared sensitive data.
• The organization sets specific parameters on what type of audit information is permitted to be shared and what cannot be shared with third-parties, even with a NDA in place.

See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to share event logs with third-party organizations based on specific cross-organizational sharing agreements.

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to share event logs with third-party organizations based on specific cross-organizational sharing agreements.