Sample Threat Monitoring Standard:
Document History
| Version | Date | Revised By | Description |
| 1.0 | 1 January 2010 <Current date> | Michael D. Peters <Owners's name> | This version replaces any prior version. |
Document Certification
| Description | Date Parameters |
| Designated document recertification cycle in days: | 30 - 90 - 180 - 365 <Select cycle> |
| Next document recertification date: | 1 July 2010 <Date> |
Sample Threat Monitoring Standard
The <Your Company Name> (the "Company) Sample Threat Assessment and Monitoring Policy defines objectives for establishing specific standards on the assessment and ongoing monitoring of threats to Company information assets.
This Threat Monitoring Standard builds on the objectives established in the Sample Threat Assessment and Monitoring Policy, and provides specific instructions and requirements for performing threat monitoring activities including automated detection, manual detection, information review and analysis, as well as metrics tracking and reporting.
I. Scope
All employees, contractors, part-time and temporary workers, and those employed by others to perform work on Company premises, or who have been granted access to and use of Company information assets, are covered by this standard and must comply with associated guidelines and procedures.
False positive refers to an indication that a system or service appears to be vulnerable, when in fact it is not.
Information assets are defined in the Sample Asset Identification and Classification Policy.
Incident refers to an anomalous event that may indicate a security intrusion.
Intrusion refers to malicious activity on or directed towards a system, application, network, or network device.
Threats are the intentional or accidental actions, activities or events that can adversely impact Company information assets, as well as the sources, such as the individuals, groups, or organizations, of these events and activities.
Threat Ratings are defined in the Sample Threat Assessment Standard.
II.Requirements
A. General
- 1. The monitoring frequency for threat activity will be based on the Threat Rating:
- 1. The monitoring frequency for threat activity will be based on the Threat Rating:
- High (Priority 1) threat activity must be monitored 7x24 in near real-time.
- Medium (Priority 2) threat activity must be monitored 7x24 in near real-time.
- Low (Priority 3) threat activity must be constantly collected and reviewed at least once per day.
- High (Priority 1) threat activity must be monitored 7x24 in near real-time.
- 2. Procedural tasks will be performed by authorized personnel, in accordance with the SIRT Routine Operations Procedure, to routinely process security incidents and intrusion detected by automated or manual detection methods.
- 2. Procedural tasks will be performed by authorized personnel, in accordance with the SIRT Routine Operations Procedure, to routinely process security incidents and intrusion detected by automated or manual detection methods.
B. Automated detection
- 1. Baseline configurations should be defined and established, in accordance with the SIRT Routine Operations Procedure, for Company threat monitoring or intrusion detection technologies that automatically analyze server and network activities for security incidents and intrusions. These baseline configurations should include:
- 1. Baseline configurations should be defined and established, in accordance with the SIRT Routine Operations Procedure, for Company threat monitoring or intrusion detection technologies that automatically analyze server and network activities for security incidents and intrusions. These baseline configurations should include:
- Default and custom signatures that are applicable to deployed server or network technologies and configurations.
- Default and custom signatures that reinforce implemented access controls.
- Default and custom signatures that address findings from vulnerability or threat assessment activities.
- Default and custom signatures that are applicable to deployed server or network technologies and configurations.
- 2. Company threat monitoring or intrusion detection technologies should be configured to automatically send notification to appropriate personnel based on the Threat Rating and in accordance with the SIRT Routine Operations Procedure.
- 2. Company threat monitoring or intrusion detection technologies should be configured to automatically send notification to appropriate personnel based on the Threat Rating and in accordance with the SIRT Routine Operations Procedure.
- 3. Company threat monitoring or intrusion detection technologies should be configured to perform automated responses to detected security incidents and intrusions based on the Threat Rating and in accordance with the SIRT Routine Operations Procedure.
- 3. Company threat monitoring or intrusion detection technologies should be configured to perform automated responses to detected security incidents and intrusions based on the Threat Rating and in accordance with the SIRT Routine Operations Procedure.
- 4. Company threat monitoring or intrusion detection technologies should be configured for automated notification and/or downloading of new attack signatures or software patches.
- 4. Company threat monitoring or intrusion detection technologies should be configured for automated notification and/or downloading of new attack signatures or software patches.
- 5. All signatures and configuration of Company threat monitoring or intrusion detection technologies should be tested and tuned prior to implementation to avoid false positives and undesired results.
- 5. All signatures and configuration of Company threat monitoring or intrusion detection technologies should be tested and tuned prior to implementation to avoid false positives and undesired results.
- 6. Company threat monitoring or intrusion detection technologies must be protected from malicious or unauthorized activities including but not limited to attempts to deactivate, modify, or delete signatures, auditing features, configuration files, and/or audit logs.
- 6. Company threat monitoring or intrusion detection technologies must be protected from malicious or unauthorized activities including but not limited to attempts to deactivate, modify, or delete signatures, auditing features, configuration files, and/or audit logs.
- 7. Configuration changes to Company threat monitoring or intrusion detection technologies should be audited or logged.
- 7. Configuration changes to Company threat monitoring or intrusion detection technologies should be audited or logged.
C. Manual Detection
- 1. Manual detection or reviewing audit logs should be performed to avoid sole reliance on the automated threat monitoring or intrusion detection technologies.
- 1. Manual detection or reviewing audit logs should be performed to avoid sole reliance on the automated threat monitoring or intrusion detection technologies.
- 2. Manual detection activities should be limited to the system and network infrastructure directly protected by automated threat monitoring or intrusion detection technologies.
- 2. Manual detection activities should be limited to the system and network infrastructure directly protected by automated threat monitoring or intrusion detection technologies.
- 3. Manual detection should be performed on critical systems, networks, and/or for events not detected by automated threat monitoring or intrusion detection technologies.
- 3. Manual detection should be performed on critical systems, networks, and/or for events not detected by automated threat monitoring or intrusion detection technologies.
- 4. Relevant audit events and logs should be forwarded to and consolidated on a central location to support manual detection and correlation activities, as well as avoid local tampering and/or destruction of critical audit data.
- 4. Relevant audit events and logs should be forwarded to and consolidated on a central location to support manual detection and correlation activities, as well as avoid local tampering and/or destruction of critical audit data.
- 5. Manual detection and log review processes and procedures must specify:
- 5. Manual detection and log review processes and procedures must specify:
- Log file name and location
- System or Device Name
- Log Reviewer (i.e. who will review the log?)
- Log Review Frequency (i.e. how often will the log be reviewed?)
- Log Review Method (i.e. what commands and/or utilities will be used?)
- Security Incidents (i.e. what security incidents will be searched for?)
- Log file name and location
D. Information Review and Analysis
- 1. Threat information shall be reviewed and analyzed from internal sources, including automated threat monitoring and intrusion detection, audit logs, and applications, to maintain awareness of active threats to Company information assets.
- 1. Threat information shall be reviewed and analyzed from internal sources, including automated threat monitoring and intrusion detection, audit logs, and applications, to maintain awareness of active threats to Company information assets.
- 2. Threat information shall be reviewed and analyzed from external sources, including security advisories and relevant mailing list, to maintain awareness of Information Security threats.
- 2. Threat information shall be reviewed and analyzed from external sources, including security advisories and relevant mailing list, to maintain awareness of Information Security threats.
E. Metrics Tracking and Reporting
- 1. The following information should be captured and updated for each detected security incident and intrusion (if applicable):
- 1. The following information should be captured and updated for each detected security incident and intrusion (if applicable):
- Incident Number
- Help Desk Ticket Number
- Incident Detection Date and Time
- Validating Staff (SIRT or staff member that validated the incident)
- Incident Status
- Threat Rating/Incident Category
- Intrusion Detection Data
- Incident Response Data
- Incident Recovery Data
- Close Date
- Incident Number
- 2. The following incident detection metrics should be routinely tracked by Threat Rating or incident category:
- 2. The following incident detection metrics should be routinely tracked by Threat Rating or incident category:
- Number of High (Priority 1) incidents
- Number of Medium (Priority 2) incidents
- Number of Low (Priority 3) incidents
- Number of High (Priority 1) incidents
- 3. The following incident detection metrics should be routinely tracked:
- 3. The following incident detection metrics should be routinely tracked:
- Number of incidents detected
- Number of incidents requiring response activities
- Number of incidents requiring recovery activities
- Number of incidents detected
- 4. The following incident detection method metrics should be routinely tracked by detection method:
- 4. The following incident detection method metrics should be routinely tracked by detection method:
- Number of incidents detected by automated threat monitoring and intrusion detection technologies
- Number of incidents detected by manual detection methods
- Number of incidents detected by automated threat monitoring and intrusion detection technologies
- 5. The following incident detection method metrics should be routinely tracked by current status:
- 5. The following incident detection method metrics should be routinely tracked by current status:
- Number of incidents with a status of Open
- Number of incidents with a status of Response
- Number of incidents with a status of Recovery
- Number of incidents with a status of Closed-False Positive
- Number of incidents with a status of Closed-Resolved
- Number of incidents with a status of Open
- 6. Threat monitoring and intrusion detection status reports will be developed and distributed to authorized personnel, in accordance with the SIRT Routine Operations Procedure, to facilitate effective communication of threat monitoring and intrusion detection activities.
- 6. Threat monitoring and intrusion detection status reports will be developed and distributed to authorized personnel, in accordance with the SIRT Routine Operations Procedure, to facilitate effective communication of threat monitoring and intrusion detection activities.
- 7. Threat monitoring metrics and status reports should be retained for a minimum of two (2) years or as prescribed by legal or regulatory requirements.
- 7. Threat monitoring metrics and status reports should be retained for a minimum of two (2) years or as prescribed by legal or regulatory requirements.
III. Responsibilities
The Chief Information Security Officer (CISO) approves the Threat Monitoring Standard. The CISO also is responsible for ensuring the development, implementation, and maintenance of the Threat Monitoring Standard.
Company management is responsible for ensuring that the Threat Monitoring Standard is properly communicated and understood within its respective organizational units. Company management also is responsible for planning threat monitoring activities.
Asset Owners (Owners) are the managers of organizational units that have primary responsibility for information assets associated with their functional authority. When Owners are not clearly implied by organizational design, the CIO will make the designation. The Owner is responsible for defining process and procedures that are consistent with the Threat Monitoring Standard and associated guidelines; ensuring threat activity is monitored and detected; ensuring plans to deter threats and threat sources are developed and implemented; and monitoring the status of threat monitoring and detection activities;
Asset Custodians (Custodians) are the managers, administrators and those designated by the Owner to manage, process or store information assets. Custodians are responsible for providing a secure processing environment that protects the confidentiality, integrity, and availability of information assets; reviewing and monitoring internal and external sources to identify the latest threats to information assets; performing assigned threat monitoring and intrusion detection duties and tasks; cooperating and adhering to processes and procedures for monitoring, detecting, and deterring threats; and providing timely status updates to support accurate threat monitoring and detection metric efforts.
Users are the individuals, groups, or organizations authorized by the Owner to access to information assets. Users are responsible for reporting suspected or actual threat activity to <Specify Contact> in a timely manner.
IV.Enforcement and Exception Handling
Failure to comply with the Threat Monitoring Standard and associated guidelines and procedures can result in disciplinary actions up to and including termination of employment for employees or termination of contracts for contractors, partners, consultants, and other entities. Legal actions also may be taken for violations of applicable regulations and laws.
Requests for exceptions to the Threat Monitoring Standard should be submitted to <Insert Title> in accordance with the Information Security Standards Exception Procedure. Prior to official management approval of any exception request, the individuals, groups, or organizations identified in the scope of this standard will continue to observe the Threat Monitoring Standard.
V.Review and Revision
The Threat Monitoring Standard will be reviewed and revised in accordance with the Sample Information Security Program Charter.
Approved: _______________________________________________________
- Signature
- Signature
- <Insert Name>
- <Insert Name>
- Chief Information Security Officer
- Chief Information Security Officer