home || catalog: SP800-53rev3 / class: Operational / family: (SI) System and Information Integrity ||
search controls:
search nistpubs:


SI-04 *

  SI-04: Information System Monitoring  

base control objective:
The organization:
a. Monitors events on the information system in accordance with [Assignment: organization-defined monitoring objectives] and detects information system attacks;
b. Identifies unauthorized use of the information system;
c. Deploys monitoring devices: (i) strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization;
d. Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information; and
e. Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations.

supplemental objective information:
Information system monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the system (e.g., within internal organizational networks and system components). Information system monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include, for example, at selected perimeter locations and near server farms supporting critical applications, with such devices typically being employed at the managed interfaces associated with controls SC-7 and AC-17. The Einstein network monitoring device from the Department of Homeland Security is an example of system monitoring device. The granularity of the information collected is determined by the organization based on its monitoring objectives and the capability of the information system to support such activities. An example of a specific type of transaction of interest to the organization with regard to monitoring is Hyper Text Transfer Protocol (HTTP) traffic that bypasses organizational HTTP proxies, when use of such proxies is required.

enhancements to the base objective:

(1) The organization interconnects and configures individual intrusion detection tools into a systemwide intrusion detection system using common protocols.

(2) The organization employs automated tools to support near-real-time analysis of events.

(3) The organization employs automated tools to integrate intrusion detection tools into access control and flow control mechanisms for rapid response to attacks by enabling reconfiguration of these mechanisms in support of attack isolation and elimination.

(4) The information system monitors inbound and outbound communications for unusual or unauthorized activities or conditions.
Enhancement Supplemental Guidance: Unusual/unauthorized activities or conditions include, for example, internal traffic that indicates the presence of malicious code within an information system or propagating among system components, the unauthorized export of information, or signaling to an external information system. Evidence of malicious code is used to identify potentially compromised information systems or information system components.

(5) The information system provides near real-time alerts when the following indications of compromise or potential compromise occur: [Assignment: organization-defined list of compromise indicators].
Enhancement Supplemental Guidance: Alerts may be generated, depending on the organization-defined list of indicators, from a variety of sources, for example, audit records or input from malicious code protection mechanisms, intrusion detection or prevention mechanisms, or boundary protection devices such as firewalls, gateways, and routers.

(6) The information system prevents non-privileged users from circumventing intrusion detection and prevention capabilities.

(7) The information system notifies [Assignment: organization-defined list of incident response personnel] of suspicious events and takes [Assignment: organization-defined list of least-disruptive actions to terminate suspicious events].
Enhancement Supplemental Guidance: The least-disruptive actions may include initiating request for human response.

(8) The organization protects information obtained from intrusion monitoring tools from unauthorized access, modification, and deletion.

(9) The organization tests/exercises intrusion monitoring tools [Assignment: organization-defined time-period].
Enhancement Supplemental Guidance: The frequency of testing/exercises is dependent upon the type and method of deployment of the intrusion monitoring tools.

(10) The organization makes provisions so that encrypted traffic is visible to information system monitoring tools.
Enhancement Supplemental Guidance: The enhancement recognizes the need to balance encrypting traffic versus the need to have insight into that traffic from a monitoring perspective. For some organizations, the need to ensure the confidentiality of traffic is paramount, for others the mission assurance concerns are greater.

(11) The organization analyzes outbound communications traffic at the external boundary of the system (i.e., system perimeter) and, as deemed necessary, at selected interior points within the system (e.g., subnets, subsystems) to discover anomalies.
Enhancement Supplemental Guidance: Anomalies within the information system include, for example, large file transfers, long-time persistent connections, unusual protocols and ports in use, and attempted communications with suspected malicious external addresses.

(12) The organization employs automated mechanisms to alert security personnel of the following inappropriate or unusual activities with security implications: [Assignment: organization-defined list of inappropriate or unusual activities that trigger alerts].

(13) The organization:
(a) Analyzes communications traffic/event patterns for the information system;
(b) Develops profiles representing common traffic patterns and/or events; and
(c) Uses the traffic/event profiles in tuning system monitoring devices to reduce the number of false positives to [Assignment: organization-defined measure of false positives] and the number of false negatives to [Assignment: organization-defined measure of false negatives].

(14) The organization employs a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises/breaches to the information system.

(15) The organization employs an intrusion detection system to monitor wireless communications traffic as the traffic passes from wireless to wireline networks.

(16) The organization correlates information from monitoring tools employed throughout the information system to achieve organization-wide situational awareness.

mapping to FIPS199 baseline:

  LOW: null     MOD: base (2) (4) (5) (6)     HIGH: base (2) (4) (5) (6)  

related (regimented) controls:

AC-08   System Use Notification
AC-17   Remote Access
AU-02   Auditable Events
AU-06   Audit Monitoring, Analysis, and Reporting
SI-03   Malicious Code Protection
SI-07   Software and Information Integrity

documents referenced in SP800-53rev3 for SI-04:

Document Date Status Title
NIST SP800-115 September, 2008 current   Technical Guide to Information Security Testing and Assessment
NIST SP800-121 June, 2012 current   Guide to Bluetooth Security
NIST SP800-36 October, 2003 current   Guide to Selecting Information Technology Security Products
NIST SP800-40 November, 2005 current   Creating a Patch and Vulnerability Management Program
NIST SP800-44 September 2002 current   Guidelines on Securing Public Web Servers
NIST SP800-48 July, 2008 current   Wireless Network Security: 802.11, Bluetooth, and Handheld Devices
NIST SP800-61 August, 2012 current   Computer Security Incident Handling Guide
NIST SP800-83 September, 2006 current   Guide to Malware Incident Prevention and Handling
NIST SP800-92 September, 2006 current   Guide to Computer Security Log Management
NIST SP800-94 August, 2006 DRAFT   Guide to Intrusion Detection and Prevention Systems (IDPS)

Search SP800-53rev3 catalog: