CIS Controls - Requirements
The current version of these tables are built on the CIS Controls Version 7.1. Mapping to Version 8 of the CIS Controls, will be completed in 2022.
Implementation Group 1
| Control ID | Control Wording | Support Detail | AIE Rules | Investigations | Summary Reports | Detailed Report |
|---|---|---|---|---|---|---|
| 1.4 | Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or process information. This inventory shall include all assets, whether connected to the organization’s network or not. | CCF: New Network Host CCF: New Asset | CCF: New Network Host Summary | |||
| 1.6 | Ensure that unauthorized assets are either removed from the network, quarantined, or the inventory is updated in a timely manner. | CCF: New Network Host CCF: New Asset | CCF: New Network Host Summary | |||
| 2.2 | Ensure that only software applications or operating systems currently supported and receiving vendor updates are added to the organization’s authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system. | CCF: Vulnerability Detected Alarm | CCF: Vulnerability Detected Inv | CCF: Vulnerability Detected Summary | ||
| 2.6 | Ensure that unauthorized software is either removed or the inventory is updated in a timely manner. | CCF: Software Install Rule CCF: Software Uninstall Rule CCF: Software Uninstall Failure Alarm | CCF: Applications Accessed By User Inv | CCF: Applications Accessed By User Summary | ||
| 3.4 | Deploy automated software update tools in order to ensure that the operating systems are running the most recent security updates provided by the software vendor. | CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Vulnerability Detected Alarm | CCF: Malware Detected Inv CCF: Patch Activity Inv CCF: Vulnerability Detected Inv | CCF: Patch Activity Summary CCF: Vulnerability Detected Summary | ||
| 3.5 | Deploy automated software update tools in order to ensure that third-party software on all systems is running the most recent security updates provided by the software vendor. | CCF: Critical/PRD Envir Patch Failure Alarm | CCF: Patch Activity Inv CCF: Vulnerability Detected Inv | CCF: Patch Activity Summary CCF: Vulnerability Detected Summary | ||
| 4.2 | Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts. | CCF: Account Modification CCF: Account Password Not Changed | CCF: Account Modification Inv CCF: Password Modification Inv | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail | ||
| 4.3 | Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not Internet browsing, email, or similar activities. | CCF: Windows RunAs Privilege Escalation CCF: Linux SUDO Privilege Escalation CCF: Social Media Activity CCF: Misuse | CCF: Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Social Media Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: User Misuse Inv | CCF: Account Modification Summary CCF: Account Enabled Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail | |
| 5.1 | Maintain documented security configuration standards for all authorized operating systems and software. | CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified | CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Patch Activity Inv CCF: Signature Activity Inv | CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Patch Activity Summary CCF: Signature Activity Summary | ||
| 6.2 | Ensure that local logging has been enabled on all systems and networking devices. | CSC: Audit Disabled by Admin CCF: Audit Logging Stopped Alarm | CCF: Audit Log Inv CCF: Object Access Inv CCF: User Object Access Inv | CCF: Audit Log Summary CCF: Object Access Summary CCF: User Object Access Summary | ||
| 7.1 | Ensure that only fully supported web browsers and email clients are allowed to execute in the organization, ideally only using the latest version of the browsers and email clients provided by the vendor. | CCF: Early TLS/SSL Alarm CCF: Unauthorized Executable Observed | CCF: Use Of Non-Encrypted Protocols Inv | CCF: Use Of Non-Encrypted Protocols Summary | ||
| 7.7 | Use Domain Name System (DNS) filtering services to help block access to known malicious domains. | CCF: Malware Alarm CCF: Domain Trust Modified | CCF: Malware Detected Inv | CCF: Malware Detected Summary | ||
| 8.2 | Ensure that the organization’s anti-malware software updates its scanning engine and signature database on a regular basis. | CCF: PRD Envir Signature Failure Alarm CCF: Malware Alarm | CCF: Malware Detected Inv CCF: Signature Activity Inv CCF: Vulnerability Detected Inv | CCF: Malware Detected Summary CCF: Signature Activity Summary CCF: Vulnerability Detected Summary | ||
| 8.4 | Configure devices so that they automatically conduct an anti-malware scan of removable media when inserted or connected. | CCF: Malware Alarm | CCF: Compromises Detected Inv CCF: Malware Detected Inv | CCF: Compromises Detected Summary CCF: Malware Detected Summary | ||
| 9.4 | Apply host-based firewalls or port-filtering tools on end systems, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed. | CCF: Blacklisted Egress Port Observed CCF: Blacklisted Ingress Port Observed | ||||
| 10.1 | Ensure that all system data is automatically backed up on a regular basis. | CCF: Backup Failure Alarm CCF: Backup Information | CCF: Backup Activity Inv | CCF: Backup Activity Summary | ||
| 10.2 | Ensure that all of the organization’s key systems are backed up as a complete system, through processes such as imaging, to enable the quick recovery of an entire system. | CCF: Backup Failure Alarm CCF: Backup Information | CCF: Backup Activity Inv | CCF: Backup Activity Summary | ||
| 11.4 | Install the latest stable version of any security-related updates on all network devices. | CCF: Compromises Detected Inv CCF: Denial of Service Inv CCF: Suspected Wireless Attack CCF: Vulnerability Detected Inv | CCF: Compromises Detected Summary CCF: Suspected Wireless Attack Summary CCF: Vulnerability Detected Summary | |||
| 12.1 | Maintain an up-to-date inventory of all of the organization’s network boundaries. | Lists provide a mechanism for organizing and saving common search criteria used within filters throughout LogRhythm, such as within Investigations, Reports, Alarm Rules, and AI Engine Rules. The lists included in this module, such as CCF: Network Security Systems List, allow an organization to create structure by which asset identification and management can be performed. | CCF: Rogue Access Point Inv | CCF: Rogue Access Point Summary | ||
| 12.4 | Deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only authorized protocols are allowed to cross the network boundary in or out of the network at each of the organization’s network boundaries. | CCF: Blacklisted Egress Port Observed CCF: Blacklisted Ingress Port Observed CCF: Early TLS/SSL Alarm | CCF: Use Of Non-Encrypted Protocols Inv | CCF: Use Of Non-Encrypted Protocols Summary | ||
| 13.1 | Maintain an inventory of all sensitive information stored, processed, or transmitted by the organization’s technology systems, including those located on-site or at a remote service provider. | CCF: Inactive Systems CCF: Unauthorized Data Transfer CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: Multiple Failed Access Attempts CCF: Multiple Object Access Failures | CCF: Object Access Inv CCF: User Object Access Inv | CCF: Object Access Summary CCF: User Object Access Summary | ||
| 13.2 | Remove sensitive data or systems not regularly accessed by the organization from the network. These systems shall only be used as stand-alone systems (disconnected from the network) by the business unit needing to occasionally use the system or completely virtualized and powered off until needed. | CCF: Unauthorized Data Transfer CCF: Inactive Systems | CCF: Object Access Inv CCF: User Object Access Inv | CCF: Access Failure Summary CCF: Access Success Summary CCF: Object Access Summary CCF: User Object Access Summary | ||
| 13.6 | Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices. | CCF: Non-Encrypted Protocol Alarm | CCF: Use Of Non-Encrypted Protocols Inv | CCF: Use Of Non-Encrypted Protocols Summary | ||
| 14.6 | Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities. | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: Multiple Failed Access Attempts CCF: Multiple Object Access Failures | CCF: Account Modification Inv CCF: Host Access Granted And Revoked Inv CCF: Object Access Inv CCF: Privileged Account Modification Inv | CCF: Access Failure Summary CCF: Account Modification Summary | ||
| 15.7 | Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit. | CCF: Non-Encrypted Protocol Alarm | CCF: Use Of Non-Encrypted Protocols Inv | CCF: Use Of Non-Encrypted Protocols Summary | ||
| 15.10 | Create a separate wireless network for personal or untrusted devices. Enterprise access from this network should be treated as untrusted and filtered and audited accordingly. | CCF: Domain Trust Modified CCF: New Network Host | CCF: Rogue Access Point Inv CCF: Suspicious Users Inv CCF: User Misuse Inv | CCF: Rogue Access Point Summary CCF: User Misuse Summary | CCF: Host Access Granted And Revoked Detail | |
| 16.8 | Disable any account that cannot be associated with a business process or business owner. | CCF: Shared Account Access | CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Host Access Granted And Revoked Inv CCF: Unknown User Account Inv | CCF: Account Disabled Summary CCF: Auth Failure Summary CCF: Term Account Activity Summary | CCF: Unknown User Account Detail | |
| 16.9 | Automatically disable dormant accounts after a set period of inactivity. | CCF: Dormant User Account Observed CCF: Inactive User Activity | CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Unknown User Account Inv | CCF: Account Enabled Summary CCF: Account Deleted Summary CCF: Account Disabled Summary | ||
| 17.3 | Create a security awareness program for all workforce members to complete on a regular basis to ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of the organization. The organization’s security awareness program should be communicated in a continuous and engaging manner. | CCF: Suspicious Users Inv CCF: User Misuse Inv | CCF: Top Suspicious Users CCF: User Misuse Summary | |||
| 17.5 | Train workforce members on the importance of enabling and utilizing secure authentication. | Investigations and Web Console dashboards enable an organization to identify discrete and disaggregated activity on an individual user basis. By monitoring user activity in this manner, an organization can identify meaningful data trends and encourage the focus of training efforts where necessary. | CCF: Suspicious Users Inv | CCF: Top Suspicious Users | ||
| 17.6 | Train the workforce on how to identify different forms of social engineering attacks, such as phishing, phone scams, and impersonation calls. | Investigations and Web Console dashboards enable an organization to identify discrete and disaggregated activity on an individual user basis. By monitoring user activity in this manner, an organization can identify meaningful data trends and encourage the focus of training efforts where necessary. | CCF: Physical Access Inv CCF: Suspicious Users Inv | CCF: Top Suspicious Users | ||
| 17.7 | Train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive information. | Investigations and Web Console dashboards enable an organization to identify discrete and disaggregated activity on an individual user basis. By monitoring user activity in this manner, an organization can identify meaningful data trends and encourage the focus of training efforts where necessary. | CCF: Suspicious Users Inv | CCF: Top Suspicious Users | ||
| 17.8 | Train workforce members to be aware of causes for unintentional data exposures, such as losing their mobile devices or emailing the wrong person due to autocomplete in email. | Investigations and Web Console dashboards enable an organization to identify discrete and disaggregated activity on an individual user basis. By monitoring user activity in this manner, an organization can identify meaningful data trends and encourage the focus of training efforts where necessary. | CCF: Suspicious Users Inv | CCF: Top Suspicious Users | ||
| 17.9 | Train workforce members to be able to identify the most common indicators of an incident and be able to report such an incident. | Investigations and Web Console dashboards enable an organization to identify discrete and disaggregated activity on an individual user basis. By monitoring user activity in this manner, an organization can identify meaningful data trends and encourage the focus of training efforts where necessary. | CCF: Suspicious Users Inv | CCF: Top Suspicious Users |
Implementation Group 2
| Control ID | Control Wording | Support Detail | AIE Rules | Investigations | Summary Reports | Detailed Report |
|---|---|---|---|---|---|---|
| 1.3 | Use Dynamic Host Configuration Protocol (DHCP) logging on all DHCP servers or IP address management tools to update the organization’s hardware asset inventory. | CCF: Audit Logging Stopped Alarm CCF: Audit Disabled by Admin | CCF: Audit Log Inv | CCF: Audit Log Summary | ||
| 1.5 | Ensure that the hardware asset inventory records the network address, hardware address, machine name, data asset owner, and department for each asset and whether the hardware asset has been approved to connect to the network. | CCF: Malware Alarm CCF: Audit Logging Stopped Alarm CCF: PRD Envir Signature Failure Alarm | CCF: New Network Host Summary | |||
| 1.7 | Utilize port level access control, following 802.1x standards, to control which devices can authenticate to the network. The authentication system shall be tied into the hardware asset inventory data to ensure only authorized devices can connect to the network. | CCF: Vulnerability Detected Alarm CCF: Blacklisted Egress Port Observed CCF: Blacklisted Ingress Port Observed | CCF: Compromises Detected Inv CCF: Denial of Service Inv CCF: Host Access Granted And Revoked Inv CCF: Rogue Access Point Inv CCF: Vulnerability Detected Inv | CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Vulnerability Detected Summary | ||
| 2.3 | Utilize software inventory tools throughout the organization to automate the documentation of all software on business systems. | CCF: Software Install Rule CCF: Software Uninstall Rule CCF: Software Uninstall Failure Alarm | CCF: Applications Accessed By User Inv | CCF: Applications Accessed By User Summary | ||
| 3.1 | Utilize an up-to-date Security Content Automation Protocol (SCAP) compliant vulnerability scanning tool to automatically scan all systems on the network on a weekly or more frequent basis to identify all potential vulnerabilities on the organization’s systems. | CCF: Critical/PRD Envir Patch Failure Alarm CCF: Malware Alarm CCF: PRD Envir Signature Failure Alarm CCF: Vulnerability Detected Alarm | CCF: Compromises Detected Inv CCF: Denial of Service Inv CCF: Excessive Authentication Failure Inv CCF: Malware Detected Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Suspected Wireless Attack Inv CCF: Vulnerability Detected Inv | CCF: Compromises Detected Summary CCF: Patch Activity Summary CCF: Malware Detected Summary CCF: Signature Activity Summary CCF: Suspected Wireless Attack Summary CCF: Vulnerability Detected Summary | ||
| 3.2 | Perform authenticated vulnerability scanning with agents running locally on each system or with remote scanners that are configured with elevated rights on the system being tested. | CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Vulnerability Detected Alarm | CCF: Compromises Detected Inv CCF: Denial of Service Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Vulnerability Detected Inv | CCF: Compromises Detected Summary CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Vulnerability Detected Summary | ||
| 3.3 | Use a dedicated account for authenticated vulnerability scans, which should not be used for any other administrative activities and should be tied to specific machines at specific IP addresses. | CCF: Multiple Failed Access Attempts CCF: Multiple Object Access Failures | CCF: Host Access Granted And Revoked Inv CCF: Object Access Inv CCF: Privileged Account Escalation Inv CCF: Social Media Inv CCF: User Misuse Inv CCF: User Object Access Inv | CCF: Social Media Summary CCF: User Misuse Summary CCF: User Object Access Summary | CCF: Account Modification Summary CCF: Account Enabled Summary | |
| 3.6 | Regularly compare the results from consecutive vulnerability scans to verify that vulnerabilities have been remediated in a timely manner. | CCF: Malware Alarm CCF: PRD Envir Signature Failure Alarm CCF: Vulnerability Detected Alarm | CCF: Compromises Detected Inv CCF: Denial of Service Inv CCF: Malware Detected Inv CCF: Signature Activity Inv CCF: Vulnerability Detected Inv | CCF: Compromises Detected Summary CCF: Malware Detected Summary CCF: Signature Activity Summary CCF: Vulnerability Detected Summary | ||
| 3.7 | Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities. | Augment through Web Console | Augment through Web Console | Augment through Web Console | Augment through Web Console | Augment through Web Console |
| 4.1 | Use automated tools to inventory all administrative accounts, including domain and local accounts, to ensure that only authorized individuals have elevated privileges. | CCF: Account Modification CCF: Linux sudo Privilege Escalation Attack CCF: Windows RunAs Privilege Escalation | CCF: Account Modification Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: Privileged Account Escalation Inv CCF: Suspicious Users Inv CCF: User Misuse Inv CCF: Privileged Account Modification Inv | CCF: Access Success Summary CCF: Account Disabled Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Top Suspicious Users CCF: User Misuse Summary CCF: User Priv Escalation (SUDO) Summary CCF: User Priv Escalation (Windows) Summary | CCF: Unknown User Account Detail CCF: Account Modification Summary | |
| 4.5 | Use multi-factor authentication and encrypted channels for all administrative account access. | CCF: Account Modification CCF: Linux sudo Privilege Escalation Attack CCF: Windows RunAs Privilege Escalation | CCF: Host Access Granted And Revoked Inv CCF: Privileged Account Modification Inv | CCF: Access Success Summary CCF: Auth Success Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary | CCF: Account Enabled Summary | |
| 4.7 | Limit access to scripting tools (such as Microsoft® PowerShell and Python) to only administrative or development users with the need to access those capabilities. | CCF: Multiple Failed Access Attempts CCF: Multiple Object Access Failures CCF: Powershell Executable CCF: Powershell Executed with Encoded Commands | CCF: Excessive Authentication Failure Inv CCF: Host Access Granted And Revoked Inv CCF: Object Access Inv CCF: Privileged Account Escalation Inv | CCF: Access Failure Summary CCF: Access Success Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Object Access Summary | CCF: Account Modification Summary CCF: Account Enabled Summary | |
| 4.8 | Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges. | CCF: Config Change After Attack CCF: Config Deleted/Disabled CCF: Config Modified CCF: Linux sudo Privilege Escalation Attack CCF: Windows RunAs Privilege Escalation CCF: Priv Group Access Granted Alarm CCF: User Added to Admin Group CCF: User Removed from Admin Group | CCF: Config/Policy Change Inv CCF: Suspicious Users Inv | CCF: Config/Policy Change Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Top Suspicious Users CCF: User Priv Escalation (SUDO) Summary CCF: User Priv Escalation (Windows) Summary | CCF: Unknown User Account Detail CCF: Account Modification Summary | |
| 4.9 | Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account. | CCF: Audit Disabled by Admin CCF: Auth After Numerous Failed Auths CCF: Excessive Authentication Failures Rule CCF: Priv Group Access Granted Alarm CCF: Audit Logging Stopped Alarm CCF: Linux sudo Privilege Escalation Attack CCF: Windows RunAs Privilege Escalation | CCF: Audit Log Inv CCF: Excessive Authentication Failure Inv CCF: Host Access Granted And Revoked Inv | CCF: Access Failure Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: User Priv Escalation (SUDO) Summary CCF: User Priv Escalation (Windows) Summary | CCF: Unknown User Account Detail CCF: Account Modification Summary | |
| 5.2 | Maintain secure images or templates for all systems in the enterprise based on the organization’s approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates. | CCF: Malware Alarm CCF: Vulnerability Detected Alarm | CCF: Compromises Detected Inv CCF: Denial of Service Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv | |||
| 5.3 | Store the master images and templates on securely configured servers, validated with integrity monitoring tools, to ensure that only authorized changes to the images are possible. | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: Multiple Failed Access Attempts CCF: Multiple Object Access Failures | CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: User Object Access Inv | CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary | ||
| 5.4 | Deploy system configuration management tools that will automatically enforce and redeploy configuration settings to systems at regularly scheduled intervals. | CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified | CCF: Config/Policy Change Inv | CCF: Config/Policy Change Summary | ||
| 5.5 | Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to verify all security configuration elements, catalog approved exceptions, and alert when unauthorized changes occur. | CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified | CCF: Config/Policy Change Inv | CCF: Config/Policy Change Summary | ||
| 6.1 | Use at least three synchronized time sources from which all servers and network devices retrieve time information on a regular basis so that timestamps in logs are consistent. | CCF: Time Sync Error Alarm | CCF: Time Sync Error Inv | CCF: Time Sync Error Summary | ||
| 6.3 | Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements. | CCF: Audit Disabled by Admin CCF: Audit Logging Stopped Alarm | CCF: Audit Log Inv | CCF: Audit Log Summary | ||
| 6.4 | Ensure that all systems that store logs have adequate storage space for the logs generated. | CCF: Audit Disabled by Admin CCF: Audit Logging Stopped Alarm | CCF: Audit Log Inv | CCF: Audit Log Summary | ||
| 6.5 | Ensure that appropriate logs are being aggregated to a central log management system for analysis and review. | CCF: Audit Disabled by Admin CCF: Audit Logging Stopped Alarm | CCF: Audit Log Inv | CCF: Audit Log Summary | ||
| 6.6 | Deploy Security Information and Event Management (SIEM) or log analytic tools for log correlation and analysis. | Supported through SIEM deployment | CCF: Audit Log Inv | CCF: Audit Log Summary | ||
| 6.7 | On a regular basis, review logs to identify anomalies or abnormal events. | Augment through Web Console, Investigations, and Reports | CCF: Audit Log Inv | CCF: Audit Log Summary | ||
| 7.2 | Uninstall or disable any unauthorized browser or email client plugins or add-on applications. | CCF: Unauthorized Executable Observed | ||||
| 7.4 | Enforce network-based URL filters that limit a system’s ability to connect to websites not approved by the organization. This filtering shall be enforced for each of the organization’s systems, whether they are physically at an organization’s facilities or not. | CCF: Malicious IP Communication CCF: Malicious URL | CCF: Suspected Wireless Attack Inv | CCF: Suspected Wireless Attack Summary | ||
| 7.6 | Log all URL requests from each of the organization’s systems, whether on-site or a mobile device, in order to identify potentially malicious activity and assist incident handlers with identifying potentially compromised systems. | CCF: Audit Disabled by Admin CCF: Audit Logging Stopped Alarm CCF: Malicious IP Communication CCF: Malicious URL | CCF: Audit Log Inv CCF: Social Media Inv | CCF: Audit Log Summary CCF: Social Media Summary | ||
| 7.9 | Block all email attachments entering the organization’s email gateway if the file types are unnecessary for the organization’s business. | CCF: Multiple Failed Access Attempts CCF: Multiple Object Access Failures CCF: Suspicious Email Attachment | CCF: Host Access Granted And Revoked Inv CCF: Object Access Inv CCF: User Object Access Inv | CCF: User Object Access Summary | ||
| 8.1 | Utilize centrally managed anti-malware software to continuously monitor and defend each of the organization’s workstations and servers. | CCF: Malware Alarm CCF: PRD Envir Signature Failure Alarm CCF: Vulnerability Detected Alarm CCF: Critical/PRD Envir Patch Failure Alarm | CCF: Compromises Detected Inv CCF: Denial of Service Inv CCF: Malware Detected Inv CCF: Signature Activity Inv CCF: Suspected Wireless Attack Inv | CCF: Compromises Detected Summary CCF: Malware Detected Summary CCF: Signature Activity Summary CCF: Suspected Wireless Attack Summary | ||
| 8.6 | Send all malware detection events to enterprise anti-malware administration tools and event log servers for analysis and alerting. | CCF: Malware Alarm CCF: Audit Disabled by Admin CCF: Audit Logging Stopped Alarm CCF: PRD Envir Signature Failure Alarm CCF: Vulnerability Detected Alarm | CCF: Audit Log Inv CCF: Malware Detected Inv CCF: Compromises Detected Inv CCF: Denial of Service Inv CCF: Malware Detected Inv CCF: Signature Activity Inv CCF: Suspected Wireless Attack Inv CCF: Vulnerability Detected Inv | CCF: Audit Log Summary CCF: Compromises Detected Summary CCF: Malware Detected Summary CCF: Signature Activity Summary CCF: Suspected Wireless Attack Summary CCF: Vulnerability Detected Summary | ||
| 8.7 | Enable Domain Name System (DNS) query logging to detect hostname lookups for known malicious domains. | CCF: Audit Logging Stopped Alarm CCF: Domain Trust Modified CCF: External DNS Communication | CCF: Audit Log Inv | CCF: Audit Log Summary | ||
| 8.8 | Enable command-line audit logging for command shells, such as Microsoft PowerShell and Bash. | CCF: Audit Logging Stopped Alarm CCF: Powershell Executable CCF: PowerShell executed with Encoded Commands | CCF: Audit Log Inv | CCF: Audit Log Summary | ||
| 9.2 | Ensure that only network ports, protocols, and services listening on a system with validated business needs are running on each system. | CCF: Blacklisted Egress Port Observed CCF: Blacklisted Ingress Port Observed | CCF: Suspected Wireless Attack Inv | CCF: Suspected Wireless Attack Summary | ||
| 9.3 | Perform automated port scans on a regular basis against all systems and alert if unauthorized ports are detected on a system. | CCF: Blacklisted Egress Port Observed CCF: Blacklisted Ingress Port Observed | CCF: Compromises Detected Inv CCF: Denial of Service Inv CCF: Excessive Authentication Failure Inv | CCF: Compromises Detected Summary | ||
| 10.3 | Test data integrity on backup media on a regular basis by performing a data restoration process to ensure that the backup is properly working. | CCF: Backup Failure Alarm CCF: Backup Information | CCF: Backup Activity Inv CCF: Critical Environment Error Inv | CCF: Backup Activity Summary CCF: Critical Environment Error Summary | ||
| 11.2 | All configuration rules that allow traffic to flow through network devices should be documented in a configuration management system with a specific business reason for each rule, a specific individual’s name responsible for that business need, and an expected duration of the need. | CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: PRD Envir Config/Policy Change Alarm | CCF: Config/Policy Change Inv | CCF: Config/Policy Change Summary | ||
| 11.3 | Compare all network device configurations against approved security configurations defined for each network device in use, and alert when any deviations are discovered. | CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: PRD Envir Config/Policy Change Alarm CCF: PRD Envir Signature Failure Alarm CCF: Vulnerability Detected Alarm | CCF: Config/Policy Change Inv | CCF: Config/Policy Change Summary | ||
| 11.5 | Manage all network devices using multi-factor authentication and encrypted sessions. | CCF: Non-Encrypted Protocol Alarm | CCF: Use Of Non-Encrypted Protocols Inv | CCF: Use Of Non-Encrypted Protocols Summary | ||
| 11.6 | CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: PRD Envir Config/Policy Change Alarm | CCF: Multiple Failed Access Attempts CCF: Multiple Object Access Failures CCF: Linux sudo Privilege Escalation Attack CCF: Windows RunAs Privilege Escalation | CCF: Object Access Inv CCF: Social Media Inv CCF: User Misuse Inv CCF: User Object Access Inv | CCF: Social Media Summary CCF: User Misuse Summary CCF: User Object Access Summary CCF: User Priv Escalation (SUDO) Summary CCF: User Priv Escalation (Windows) Summary | CCF: Host Access Granted And Revoked Detail | |
| 12.2 | Perform regular scans from outside each trusted network boundary to detect any unauthorized connections which are accessible across the boundary. | CCF: Blacklist Location Auth CCF: Port Misuse: 53 CCF: Port Misuse: 80 | CCF: Suspected Wireless Attack Summary | |||
| 12.3 | Deny communications with known malicious or unused Internet IP addresses and limit access only to trusted and necessary IP address ranges at each of the organization’s network boundaries. | CCF: Blacklist Location Auth CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Malicious IP Communication | CCF: Compromises Detected Inv CCF: Denial of Service Inv CCF: Excessive Authentication Failure Inv CCF: Malware Detected Inv CCF: Suspected Wireless Attack Inv CCF: Vulnerability Detected Inv | CCF: Compromises Detected Summary CCF: Malware Detected Summary CCF: Suspected Wireless Attack Summary CCF: Vulnerability Detected Summary | ||
| 12.6 | Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack mechanisms and detect compromise of these systems at each of the organization’s network boundaries. | CCF: Malware Alarm CCF: Vulnerability Detected Alarm | CCF: Compromises Detected Inv CCF: Denial of Service Inv CCF: Excessive Authentication Failure Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv | CCF: Compromises Detected Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary | ||
| 12.11 | Require all remote login access to the organization’s network to encrypt data in transit and use multi-factor authentication. | CCF: Non-Encrypted Protocol Alarm | ||||
| 13.4 | Only allow access to authorized cloud storage or email providers. | CCF: Multiple Failed Access Attempts CCF: Multiple Object Access Failures | CCF: Object Access Inv CCF: User Object Access Inv | CCF: User Object Access Summary | ||
| 13.7 | If USB storage devices are required, enterprise software should be used that can configure systems to allow the use of specific devices. An inventory of such devices should be maintained. | CCF: Data Loss Prevention | CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: User Object Access Inv | CCF: LogRhythm Data Loss Defender Log Summary CCF: User Object Access Summary | ||
| 14.3 | Disable all workstation-to-workstation communication to limit an attacker’s ability to move laterally and compromise neighboring systems, through technologies such as private VLANs or micro segmentation. | CCF: Admin Password Modified CCF: Pass the Hash CCF: Credential Dumping CCF: Lateral Movement then Exfil | ||||
| 14.4 | Encrypt all sensitive information in transit. | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm | CCF: Use Of Non-Encrypted Protocols Inv | CCF: Use Of Non-Encrypted Protocols Summary | ||
| 15.1 | Maintain an inventory of authorized wireless access points connected to the wired network. | CCF: New Network Host CCF: New Wireless Host | CCF: Compromises Detected Inv CCF: Denial of Service Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv | CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary | ||
| 15.2 | Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access points connected to the wired network. | CCF: New Wireless Host CCF: Rogue Access Point Alarm | CCF: Rogue Access Point Inv | CCF: Rogue Access Point Summary | ||
| 15.3 | Use a wireless intrusion detection system (WIDS) to detect and alert on unauthorized wireless access points connected to the network. | CCF: New Wireless Host CCF: Rogue Access Point Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm | CCF: Suspected Wireless Attack Inv | CCF: Suspected Wireless Attack Summary | ||
| 15.6 | Disable peer-to-peer (ad hoc) wireless network capabilities on wireless clients. | CCF: Admin Password Modified CCF: Pass the Hash CCF: Credential Dumping CCF: Lateral Movement then Exfil | CCF: Suspected Wireless Attack Inv | CCF: Suspected Wireless Attack Summary | ||
| 15.9 | Disable wireless peripheral access of devices [such as Bluetooth and Near Field Communication (NFC)], unless such access is required for a business purpose. | CCF: Suspected Wireless Attack Inv | CCF: Suspected Wireless Attack Summary | |||
| 16.7 | Establish and follow an automated process for revoking system access by disabling accounts immediately upon termination or change of responsibilities of an employee or contractor. Disabling these accounts, instead of deleting accounts, allows preservation of audit trails. | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm | CCF: Use Of Non-Encrypted Protocols Inv | CCF: Use Of Non-Encrypted Protocols Summary | ||
| 16.10 | Ensure that all accounts have an expiration date that is monitored and enforced. | CCF: Blacklisted Account Alarm | CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: Privileged Account Escalation Inv CCF: User Misuse Inv CCF: Unknown User Account Inv | CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Disabled Summary CCF: Auth Success Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: User Misuse Summary | CCF: Unknown User Account Detail CCF: Account Modification Summary | |
| 16.12 | Monitor attempts to access deactivated accounts through audit logging. | CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Blacklisted Account Alarm CCF: Disabled Account Auth Success CCF: Local Account Created and Used | CCF: Account Modification Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: User Misuse Inv CCF: Unknown User Account Inv | CCF: Access Failure Summary CCF: Access Success Summary CCF: Account Disabled Summary CCF: Auth Success Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: User Misuse Summary CCF: User Priv Escalation (SUDO) Summary CCF: User Priv Escalation (Windows) Summary | CCF: Host Access Granted And Revoked Detail CCF: Account Modification Summary CCF: Account Enabled Summary CCF: Account Deleted Summary | |
| 17.1 | Perform a skills gap analysis to understand the skills and behaviors workforce members are not adhering to, using this information to build a baseline education roadmap. | CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Blacklisted Account Alarm CCF: Disabled Account Auth Success | CCF: Account Modification Inv CCF: Deleted Account Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: Unknown User Account Inv | CCF: Access Success Summary CCF: Account Disabled Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Term Account Activity Summary CCF: User Misuse Summary | CCF: Host Access Granted And Revoked Detail CCF: Account Modification Summary CCF: Account Enabled Summary CCF: Account Deleted Summary | |
| 18.3 | Verify that the version of all software acquired from outside your organization is still supported by the developer or appropriately hardened based on developer security recommendations. | CCF: Disabled Account Auth Success CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Blacklisted Account Alarm | CCF: Account Modification Inv CCF: Disabled Account Inv CCF: Enabled Account Inv CCF: Excessive Authentication Failure Inv CCF: Privileged Account Escalation Inv CCF: User Misuse Inv CCF: Unknown User Account Inv | CCF: Access Failure Summary CCF: Account Disabled Summary CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Term Account Activity Summary CCF: User Misuse Summary CCF: User Priv Escalation (SUDO) Summary CCF: User Priv Escalation (Windows) Summary | CCF: Account Modification Summary CCF: Account Enabled Summary CCF: Account Deleted Summary | |
| 18.5 | Use only standardized, currently accepted, and extensively reviewed encryption algorithms. | CCF: Object Access Inv CCF: User Misuse Inv CCF: User Object Access Inv | CCF: Top Suspicious Users CCF: User Misuse Summary CCF: User Object Access Summary | |||
| 18.8 | Establish a process to accept and address reports of software vulnerabilities, including providing a means for external entities to contact your security group. | CCF: Critical/PRD Envir Patch Failure Alarm | CCF: Applications Accessed By User Inv CCF: Patch Activity Inv | CCF: Applications Accessed By User Summary CCF: Patch Activity Summary | ||
| 18.9 | Maintain separate environments for production and non-production systems. Developers should not have unmonitored access to production environments. | CCF: Early TLS/SSL Alarm CCF: Non-Encrypted Protocol Alarm | CCF: Use Of Non-Encrypted Protocols Inv | CCF: Use Of Non-Encrypted Protocols Summary | ||
| 18.10 | Protect web applications by deploying web application firewalls (WAFs) that inspect all traffic flowing to the web application for common web application attacks. For applications that are not web-based, specific application firewalls should be deployed if such tools are available for the given application type. If the traffic is encrypted, the device should either sit behind the encryption or be capable of decrypting the traffic prior to analysis. If neither option is appropriate, a host-based web application firewall should be deployed. | CCF: Critical/PRD Envir Patch Failure Alarm CCF: Malware Alarm CCF: Software Vulnerability CCF: Vulnerability Detected Alarm | CCF: Applications Accessed By User Inv | CCF: Applications Accessed By User Summary | ||
| 18.11 | For applications that rely on a database, use standard hardening configuration templates. All systems that are part of critical business processes should also be tested. | CCF: Host Access Granted And Revoked Inv CCF: Object Access Inv CCF: User Object Access Inv | CCF: User Object Access Summary | |||
| 20.1 | Establish a program for penetration tests that includes a full scope of blended attacks, such as wireless, client-based, and web application attacks. | CCF: Vulnerability Detected Alarm CCF: Port Misuse: 53 CCF: Port Misuse: 80 | CCF: Denial of Service Inv CCF: Vulnerability Detected Inv | CCF: Vulnerability Detected Summary | ||
| 20.2 | Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors that can be used to exploit enterprise systems successfully. | CCF: Critical/PRD Envir Patch Failure Alarm CCF: Vulnerability Detected Alarm | CCF: Critical Environment Error Inv | CCF: Critical Environment Error Summary | ||
| 20.8 | Any user or system accounts used to perform penetration testing should be controlled and monitored to make sure they are only being used for legitimate purposes, and are removed or restored to normal function after testing is over. | CCF: Config Change then Critical Error CCF: Multiple Failed Access Attempts CCF: Multiple Object Access Failures | CCF: Critical Environment Error Inv CCF: Object Access Inv CCF: User Object Access Inv | CCF: Critical Environment Error Summary CCF: User Object Access Summary | ||
| CCF: Vulnerability Detected Alarm | CCF: User Misuse Inv CCF: Suspicious Users Inv | CCF: Top Suspicious Users CCF: User Misuse Summary CCF: Vulnerability Detected Summary | ||||
| CCF: Account Modification | CCF: Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Social Media Inv CCF: User Misuse Inv CCF: Suspicious Users Inv | CCF: Access Success Summary CCF: Auth Success Summary CCF: Social Media Summary CCF: Top Suspicious Users CCF: User Misuse Summary CCF: User Priv Escalation (SUDO) Summary CCF: User Priv Escalation (Windows) Summary | CCF: Account Modification Summary CCF: Account Enabled Summary |
Implementation Group 3
| Control ID | Control Wording | Support Detail | AIE Rules | Investigations | Summary Reports | Detailed Report |
|---|---|---|---|---|---|---|
| 1.8 | Use client certificates to authenticate hardware assets connecting to the organization’s trusted network. | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm | CCF: Use Of Non-Encrypted Protocols Inv | CCF: Use Of Non-Encrypted Protocols Summary | ||
| 2.7 | Utilize application whitelisting technology on all assets to ensure that only authorized software executes and all unauthorized software is blocked from executing on assets. | CCF: Software Install Rule CCF: Software Uninstall Rule CCF: Software Uninstall Failure Alarm CCF: Unauthorized Executable Observed | ||||
| 2.8 | The organization’s application whitelisting software must ensure that only authorized software libraries (such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system process. | CCF: Unauthorized Executable Observed | ||||
| 2.9 | The organization’s application whitelisting software must ensure that only authorized, digitally signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system. | CCF: Unauthorized Executable Observed | ||||
| 6.8 | On a regular basis, tune your SIEM system to better identify actionable events and decrease event noise. | Augmented through SIEM deployment. | Augmented through SIEM deployment. | Augmented through SIEM deployment. | Augmented through SIEM deployment. | Augmented through SIEM deployment. |
| 7.10 | Use sandboxing to analyze and block inbound email attachments with malicious behavior. | CCF: Suspicious Email Attachment | ||||
| 9.5 | Place application firewalls in front of any critical servers to verify and validate the traffic going to the server. Any unauthorized traffic should be blocked and logged. | CCF: Significant Outbound Traffic Increase CCF: Port Misuse: 53 CCF: Port Misuse: 80 CCF: New Process and Traffic Destination CCF: Attack then Inbound Traffic | ||||
| 12.7 | Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each of the organization’s network boundaries. | CCF: Significant Outbound Traffic Increase CCF: Port Misuse: 53 CCF: Port Misuse: 80 CCF: New Process and Traffic Destination CCF: Attack then Inbound Traffic | ||||
| 12.10 | Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However, the organization may use whitelists of allowed sites that can be accessed through the proxy without decrypting the traffic. | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm | CCF: Use Of Non-Encrypted Protocols Inv | CCF: Use Of Non-Encrypted Protocols Summary | ||
| 13.3 | Deploy an automated tool on network perimeters that monitors for unauthorized transfer of sensitive information and blocks such transfers while alerting information security professionals. | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: Multiple Failed Access Attempts CCF: Multiple Object Access Failures CCF: Unauthorized Data Transfer | CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: User Object Access Inv | CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary | ||
| 13.5 | Monitor all traffic leaving the organization and detect any unauthorized use of encryption. | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: Multiple Failed Access Attempts CCF: Multiple Object Access Failures CCF: Unauthorized Data Transfer | CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: User Object Access Inv | CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary | ||
| 13.9 | If USB storage devices are required, all data stored on such devices must be encrypted while at rest. | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm | CCF: Use Of Non-Encrypted Protocols Inv | CCF: Use Of Non-Encrypted Protocols Summary | ||
| 14.5 | Utilize an active discovery tool to identify all sensitive information stored, processed, or transmitted by the organization’s technology systems, including those located on-site or at a remote service provider, and update the organization’s sensitive information inventory. | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: Multiple Failed Access Attempts CCF: Multiple Object Access Failures CCF: Unauthorized Data Transfer | CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: User Object Access Inv | CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary | ||
| 14.8 | Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information. | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm | CCF: Use Of Non-Encrypted Protocols Inv | CCF: Use Of Non-Encrypted Protocols Summary | ||
| 14.9 | Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). | CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM Delete Activity Alarm CCF: FIM General Activity CCF: FIM Information CCF: Multiple Failed Access Attempts CCF: Multiple Object Access Failures CCF: Unauthorized Data Transfer | CCF: Config/Policy Change Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: User Object Access Inv | CCF: Config/Policy Change Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary | ||
| 15.8 | Ensure that wireless networks use authentication protocols such as Extensible Authentication Protocol-Transport Layer Security (EAP/TLS), that requires mutual, multi-factor authentication. | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm | CCF: Use Of Non-Encrypted Protocols Inv | CCF: Use Of Non-Encrypted Protocols Summary | ||
| 16.13 | Alert when users deviate from normal login behavior, such as time-of-day, workstation location, and duration. | CCF: Abnormal Auth Behavior CCF: Abnormal Amount of Data Transferred CCF: Abnormal FIM Activity CCF: Abnormal Origin Location CCF: Abnormal Process Activity | CCF: Auth Failure Summary CCF: Auth Success Summary CCF: Top Suspicious Users | |||
| 19.8 | Create incident scoring and prioritization schema based on known or potential impact to your organization. Utilize score to define frequency of status updates and escalation procedures. | Augmented through Web Dashboard and incident scoring. | Augmented through Web Dashboard and incident scoring. | Augmented through Web Dashboard and incident scoring. | Augmented through Web Dashboard and incident scoring. | Augmented through Web Dashboard and incident scoring. |