Guidance for NIST 800-171 Assessment & Compliance
Applicable (Y)es / (N)o |
(C)onfidentiality |
(I)ntegrity |
(A)vailability |
RPN (C+I+A) |
(S)atisfactory |
||||||
L1 |
M2 |
H3 |
L1 |
M2 |
H3 |
L1 |
M2 |
H3 |
(O)ther than satisfactory +## |
||
|
|
|
|
|
|
|
|
|
|
|
|
###
si-4 |
information system monitoring |
||||
|
assessment objective: Determine if the organization: |
||||
si-4(a) |
si-4(a)(1) |
si-4(a)(1)[1] |
defines monitoring objectives to detect attacks and indicators of potential attacks on the information system; |
||
si-4(a)(1)[2] |
monitors the information system to detect, in accordance with organization-defined monitoring objectives,: |
||||
si-4(a)(1)[2][a] |
attacks; |
||||
si-4(a)(1)[2][b] |
indicators of potential attacks; |
||||
si-4(a)(2) |
monitors the information system to detect unauthorized: |
||||
si-4(a)(2)[1] |
local connections; |
||||
si-4(a)(2)[2] |
network connections; |
||||
si-4(a)(2)[3] |
remote connections; |
||||
si-4(b) |
si-4(b)(1) |
defines techniques and methods to identify unauthorized use of the information system; |
|||
si-4(b)(2) |
identifies unauthorized use of the information system through organization-defined techniques and methods; |
||||
si-4(c) |
deploys monitoring devices: |
||||
si-4(c)[1] |
strategically within the information system to collect organization-determined essential information; |
||||
si-4(c)[2] |
at ad hoc locations within the system to track specific types of transactions of interest to the organization; |
||||
si-4(d) |
protects information obtained from intrusion-monitoring tools from unauthorized: |
||||
si-4(d)[1] |
access; |
||||
si-4(d)[2] |
modification; |
||||
si-4(d)[3] |
deletion; |
||||
si-4(e) |
heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information; |
||||
si-4(f) |
obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; |
||||
si-4(g) |
si-4(g)[1] |
defines personnel or roles to whom information system monitoring information is to be provided; |
|||
si-4(g)[2] |
defines information system monitoring information to be provided to organization-defined personnel or roles; |
||||
si-4(g)[3] |
defines a frequency to provide organization-defined information system monitoring to organization-defined personnel or roles; |
||||
si-4(g)[4] |
provides organization-defined information system monitoring information to organization-defined personnel or roles one or more of the following: |
||||
si-4(g)[4][a] |
as needed; and/or |
||||
si-4(g)[4][b] |
with the organization-defined frequency. |
||||
potential assessment methods and objects: Examine: [select from: Continuous monitoring strategy; system and information integrity policy; procedures addressing information system monitoring tools and techniques; facility diagram/layout; information system design documentation; information system monitoring tools and techniques documentation; locations within information system where monitoring devices are deployed; information system configuration settings and associated documentation; other relevant documents or records]. Interview: [select from: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the information system; organizational personnel with responsibility monitoring the information system]. Test: [select from: Organizational processes for information system monitoring; automated mechanisms supporting and/or implementing information system monitoring capability]. |
|||||
