Continous Monitoring Controls
Purpose
Bramble maintains ongoing situational awareness of security-related events through the centralized collection, analysis and review of security-related event logs from systems, applications and services. Without comprehensive visibility into infrastructure, operating system, database, application and other logs, Bramble will have “blind spots” in its situational awareness that could lead to system compromise, data exfiltration, or unavailability of needed computing resources.
Scope
This control applies to all systems within our production environment. The production environment includes all endpoints and cloud assets used in hosting Brmbl.io and its subdomains. This may include third-party systems that support the business of Brmbl.io.
Ownership
- This control is owned by Infrastructure.
- The process is owned by Security Compliance, Infrastructure and Security Operations.
Controls
| Control Number | Control Title | Control Statement | Goal | TOD | TOE |
|---|---|---|---|---|---|
| MON-01 | Continuous Monitoring | Bramble Group Corp. has implemented mechanisms for enterprise-wide monitoring controls such as Intrusion Detection / Prevention Systems (IDS / IPS) technologies on critical systems, key network segments and network choke points. Bramble utilizes Host-based Intrusion Detection / Prevention Systems (HIDS/HIPS) to continuously monitor inbound and outbound communications traffic for unusual or unauthorized activities and actively responds to alerts from physical, cybersecurity, privacy and supply chain activities, blocking unwanted activities to achieve and maintain situational awareness. Bramble utilizes Wireless Intrusion Detection / Protection Systems (WIDS / WIPS) to identify rogue wireless devices and detect attack attempts via wireless networks. Bramble sends logs to a Security Incident Event Manager (SIEM) or similar automated tool to review event logs on an ongoing basis and escalate incidents in accordance with established timelines and procedures. | Does the organization facilitate the implementation of enterprise-wide monitoring controls? | 1. Examine the policies, procedures and related documents associated with enterprise-wide monitoring technologies such as Intrusion Detection / Prevention Systems (IDS/IPS) on critical systems, key network segments and network choke points. 2. Interview key organizational personnel within Bramble to discuss high level planning and workflows that support the enterprise-wide monitoring technologies such as Intrusion Detection / Prevention Systems (IDS/IPS) on critical systems, key network segments and network choke points. |
1. Identify critical systems, key network segments and network choke points. 2. Examine policies, procedures, related documentation and automated configurations used to support IDS/IPS on identified critical systems. 3. Examine the IDS/IPS monitoring for evidence of: Monitoring for anomalies Audit logs / records configured, documented and reviewed according to policy Network monitoring for cybersecurity events Roles and responsibilities defined Detection and resolution requirements Baseline configurations are enabled according to policy. |
| MON-02 | Centralized Collection of Security Event Logs | Bramble Group Corp. has implemented mechanisms to utilize a Security Incident Event Manager (SIEM) or similar automated tool, to support the centralized collection of security-related event logs to maintain situational awareness. | Does the organization utilize a Security Incident Event Manager (SIEM) or similar automated tool, to support the centralized collection of security-related event logs? | 1. Examine the policies, procedures and related documents associated with the documentation and configuration of a Security Incident Event Manager (SIEM) or similar automated tool used to centralize collection of security related event logs. 2. Interview key organizational personnel within Bramble to discuss high level planning and workflows that support the SIEM. |
1. Examine policies, procedures, related documentation and automated configurations used to facilitate the SIEM. 2. Review event logs for the entire examination period for evidence that the SIEM captured all event logs outlined in the automated configurations and related documentation. |
| MON-03 | Content of Audit Records | Bramble Group Corp. has implemented mechanisms to configure systems to produce audit records that contain sufficient information to, at a minimum: ▪ Establish what type of event occurred; ▪ When (date and time) the event occurred;▪ Where the event occurred; ▪ The source of the event; ▪ The outcome (success or failure) of the event; and ▪ The identity of any user/subject associated with the event. | Does the organization configure systems to produce audit records that contain sufficient information to, at a minimum: ▪ Establish what type of event occurred; ▪ When (date and time) the event occurred; ▪ Where the event occurred; ▪ The source of the event; ▪ The outcome (success or failure) of the event; and ▪ The identity of any user/subject associated with the event? | 1. Examine the policies, procedures and related documents associated with the documentation and configuration of a Security Incident Event Manager (SIEM) or similar automated tool used to produce audit records. 2. Interview key organizational personnel within Bramble to discuss high level planning and workflows that support the SIEM. 3. Examine SIEM configuration for evidence that altering configurations for the SIEM are based on segregation of duties, job role responsibility etc. and any change to the configurations or records follows documented policies and procedures. 4. Examine the SIEM configuration to evidence information is collected. Including but not limited to: Type of event When (date and time) Where Source of event Outcome (success or failure) Identify user/subject associated with event. |
1. Pull a population of all audit logs for the examination period. 2. Examine manual or automated configurations for audit logs. 3. Examine sample set of audit logs for evidence that the SIEM captured all information as outlined in ToD through either manual or configured processes. |
| MON-06 | Monitoring Reporting | Bramble Group Corp. has implemented mechanisms to provide an event log report generation capability to aid in detecting and assessing anomalous activities. | Does the organization provide an event log report generation capability to aid in detecting and assessing anomalous activities? | 1. Examine the policies, procedures and related documents associated with the documentation and configuration of event log generation and reporting for detecting anomalous activities. 2. Interview key organizational personnel within Bramble to discuss high level planning and workflows that support the configuration of event log generation and reporting for detecting anomalous activities. 3: Examine event log configuration for evidence that altering configurations is limited to personnel based on segregation of duties, job role responsibility etc. 4. Examine any changes to event log configurations or logs themselves for evidence to support that changes to the configurations or records follows documented policies and procedures. 5. Examine the event log generation configuration to evidence logs collect and support: Event anomalies Security events Alerting / communication to appropriate teams. |
1. Pull a population of all event logs for the examination period. 2. Examine manual or automated configurations for event logs. 3. Examine sample set of event logs for evidence that the event logs collect and support all information as outlined in ToD through either manual or configured processes. |
| MON-10 | Audit Record Retention | Bramble Group Corp. has implemented mechanisms to retain audit records for a time period consistent with records retention requirements to provide support for after-the-fact investigations of security incidents and to meet statutory, regulatory and contractual retention requirements. | Does the organization retain audit records for a time period consistent with records retention requirements to provide support for after-the-fact investigations of security incidents and to meet statutory, regulatory and contractual retention requirements? | 1. Identify statutory, regulatory and contractual retention and disposal requirements. 2. Examine the policies, procedures and related documents associated with audit record retention and disposal. |
1. Pull a population of all audit records 2. Examine manual processes or automated configurations for evidence that audit records are retained and/or disposed of according to statutory, regulatory and contractual retention and disposal requirements. 3. Examine a sample set of audit records for evidence that records were retained or destroyed according to statutory, regulatory and contractual retention and disposal requirements. |
| MON-16 | Anomalous Behavior | Bramble Group Corp. has implemented mechanisms to detect and respond to anomalous behavior that could indicate account compromise or other malicious activities. | Does the organization detect and respond to anomalous behavior that could indicate account compromise or other malicious activities? | 1. Examine the policies, procedures and related documents associated with the documentation and configuration of audit and event logs to document anomalous behavior that could indicate account compromise or other malicious activity. 2. Interview key organizational personnel within Bramble to discuss high level planning, network operations and data flows that support the documentation and configuration of audit and event logs to document anomalous behavior that could indicate account compromise or other malicious activity. 3. Examine audit or event log configuration for evidence that altering configurations for the logs are based on segregation of duties, job role responsibility etc. and any change to the configurations or records follows documented policies and procedures. 4. Examine the audit or event logs n to evidence information is collected. Including but not limited to: Anomalous behavior Account compromise Malicious activity. |
1. Pull a population of all audit or event logs for the examination period. 2. Examine manual or automated configurations for audit or event logs. 3. Examine sample set of audit or event logs for evidence that information as outlined in ToD was captured through either manual or configured processes. |
- Test of Design - (TOD) – verifies that a control is designed appropriately and that it will prevent or detect a particular risk.
- Test of Operating Effectiveness - (TOE) - used for verifying that the control is in place and it operates as it was designed.