The Agency utilizes a collection of network defense systems that provide internal and hosted monitoring for indicators of potential or actual attacks against the Agency network.
Suspicious or anomalous activities are not are not detected due to lack of intrusion detection systems.
The organization:
a. Monitors the information system to detect:
1. Attacks and indicators of potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; and
2. Unauthorized local, network, and remote connections;
b. Identifies unauthorized use of the information system through [Assignment: organization-defined techniques and methods];
c. Deploys monitoring devices: (i) strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization;
d. Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;
e. Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;
f. Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and
g. Provides [Assignment: organization-defined information system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]].
The organization has effective tools and processes in place to proactively detect and respond to security threats/events, through:
a. effectively placed and configured intrusion-detection system(s) and/or intrusion-prevention system(s) to guard against or monitor for malicious network traffic at the perimeter;
b. effective placement and use of monitoring tools with configured applicable use cases to detect potential events relevant to the information system (e.g., DLP, SIEM, Netflow, etc.) ;
c. effective monitoring processes (e.g., alerts from IDS/IPS alert) for taking timely actions; and
d. defined processes (e.g., use cases) that guide the responders to take appropriate level of action.
Each state organization head or his/her designated representative and information security officer shall establish a security strategy that includes perimeter protection.
The department will provide security information management services to include external network monitoring, scanning, and alerting for state organizations that utilize State information resources as specified in Chapters 2054 and 2059, Government Code. Perimeter security controls may include some or all of the following components: DMZ, firewall, intrusion detection or prevention system, or router.
Obtain system and information integrity policy; procedures addressing information system monitoring tools and techniques; information system design documentation; information system monitoring tools and techniques documentation; information system configuration settings and associated documentation; information system protocols documentation; types of activities or conditions considered unusual or unauthorized; security plan; other relevant documents or records and ascertain if :
(I)the organization employs tools and techniques to monitor events on the information system, detect attacks, and provide identification of unauthorized use of the system.
(ii)the organization deploys monitoring devices strategically within the information system (e.g., at selected perimeter locations, near server farms supporting critical applications) to collect essential information.
(iii)the organization deploys monitoring devices at ad hoc locations within the information system to track specific transactions.
(iv)the organization uses the monitoring devices to track the impact of security changes to the information system.
(v)the organization determines the granularity of the information collected based upon its monitoring objectives and the capability of the information system to support such activities.
(vi)the organization consults appropriate legal counsel with regard to all information system monitoring activities.
(vii)the organization heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation, based on law enforcement information, intelligence information, or other credible sources of information.
(viii)the organization employs automated tools to support near-real-time analysis of events.
(ix)the organization identifies the types of activities or conditions considered unusual or unauthorized; and
(x)the information system monitors inbound and outbound communications for unusual or unauthorized activities or conditions.
(xi)the organization defines in the security plan, explicitly or by reference, indications of compromise or potential compromise to the security of the information system.
(xii)the information system provides a real-time alert when any of the organization-defined list of compromise, or potential compromise indicators occurs.
