IR-05 Incident Monitoring

Baselines

Guidance

Documenting incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics as well as evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources, including network monitoring, incident reports, incident response teams, user complaints, supply chain partners, audit monitoring, physical access monitoring, and user and administrator reports. IR-4 provides information on the types of incidents that are appropriate for monitoring.

References 1

• SP 800-61 Cichonski PR, Millar T, Grance T, Scarfone KA (2012) Computer Security Incident Handling Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-61, Rev. 2.

Control Enhancements 1

• IR-05(01) Automated Tracking, Data Collection, and Analysis L M H P

Related controls 12

• AU-06 Audit Record Review, Analysis, and Reporting L M H P
• AU-07 Audit Record Reduction and Report Generation L M H P
• IR-04 Incident Handling L M H P
• IR-06 Incident Reporting L M H P
• IR-08 Incident Response Plan L M H P
• PE-06 Monitoring Physical Access L M H P
• PM-05 System Inventory L M H P
• SC-05 Denial-of-service Protection L M H P
• SC-07 Boundary Protection L M H P
• SI-03 Malicious Code Protection L M H P
• SI-04 System Monitoring L M H P
• SI-07 Software, Firmware, and Information Integrity L M H P