System and Information Integrity¶

• a. Identify, report, and correct system flaws;
• b. Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;
• c. Install security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and
• d. Incorporate flaw remediation into the organizational configuration management process.

Determine if system components have applicable security-relevant software and firmware updates installed using [Assignment: organization-defined automated mechanisms] [Assignment: organization-defined frequency].

• a. Monitor the system to detect:
  • 1. Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [Assignment: organization-defined monitoring objectives]; and
  • 2. Unauthorized local, network, and remote connections;
• b. Identify unauthorized use of the system through the following techniques and methods: [Assignment: organization-defined techniques and methods];
• c. Invoke internal monitoring capabilities or deploy monitoring devices:
  • 1. Strategically within the system to collect organization-determined essential information; and
  • 2. At ad hoc locations within the system to track specific types of transactions of interest to the organization;
• d. Analyze detected events and anomalies;
• e. Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;
• f. Obtain legal opinion regarding system monitoring activities; and
• g. Provide [Assignment: organization-defined system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection: one or more of: as needed].

Connect and configure individual intrusion detection tools into a system-wide intrusion detection system.

Employ automated tools and mechanisms to support near real-time analysis of events.

• (a) Determine criteria for unusual or unauthorized activities or conditions for inbound and outbound communications traffic;
• (b) Monitor inbound and outbound communications traffic [Assignment: organization-defined frequency] for [Assignment: organization-defined unusual or unauthorized activities or conditions].

Alert [Assignment: organization-defined personnel or roles] when the following system-generated indications of compromise or potential compromise occur: [Assignment: organization-defined compromise indicators].

• a. Receive system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on an ongoing basis;
• b. Generate internal security alerts, advisories, and directives as deemed necessary;
• c. Disseminate security alerts, advisories, and directives to: [Assignment: si-05_odp.02]; and
• d. Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance.

• a. Employ spam protection mechanisms at system entry and exit points to detect and act on unsolicited messages; and
• b. Update spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures.