System monitoring includes external and internal monitoring. System monitoring can detect unauthorized use of organizational systems. System monitoring is an integral part of continuous monitoring and incident response programs. Monitoring is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Output from system monitoring serves as input to continuous monitoring and incident response programs. Unusual/unauthorized activities or conditions related to inbound and outbound communications traffic include internal traffic that indicates the presence of malicious code in systems or propagating among system components, the unauthorized exporting of information, or signaling to external systems. Evidence of malicious code is used to identify potentially compromised systems or system components. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other requirements. [SP 800-94] provides guidance on intrusion detection and prevention systems.

Priority: High

Category Vulnerability Management 

Services Associated with AWS:

  1. AWS Systems Manager
  2. Amazon Inspector
  3. AWS Security Hub
  4. AWS Config

Objective Evidence:

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
  • Administrative: supporting documentation of how anti-malware solutions are deployed and maintained
  • Technical: screen shot of anti-malware configuration settings 

Possible Technology Considerations

  • Secure Baseline Configurations (SBC)
  • Antimalware Solution

What needs to be answered?

Does the company update information system protection mechanisms (e.g., anti-virus signatures) within 5 days of new releases? Are these updates completed in accordance with configuration management policy and procedures?

  • Malicious Code Protection Mechanism Update Check
    Description: This check verifies that malicious code protection mechanisms, such as anti-virus signature definitions and reputation-based technologies, are regularly updated with the latest releases. It ensures that organizations have processes in place to receive updates from vendors or trusted sources and apply them promptly to the relevant systems.
  • Comprehensive Software Integrity Control Check
    Description: This check ensures that comprehensive software integrity controls, including pervasive configuration management, are implemented to prevent the execution of unauthorized code. It verifies that organizations have processes in place to update these controls when new releases or patches are available, thereby strengthening protection against malicious code.

More Details:

Malicious code systems updated automatically upon release of new definitions.