Navigate

AU-13

AU-13: Monitoring for Information Disclosure

a: Monitor [open-source information and/or information sites to be monitored for evidence of unauthorized disclosure of organizational information is/are defined;] [the frequency with which open-source information and/or information sites are monitored for evidence of unauthorized disclosure of organizational information is defined;] for evidence of unauthorized disclosure of organizational information; and

b: If an information disclosure is discovered:
- 1: Notify [personnel or roles to be notified if an information disclosure is discovered is/are defined;] ; and
- 2: Take the following additional actions: [additional actions to be taken if an information disclosure is discovered are defined;].

Supplemental

Unauthorized disclosure of information is a form of data leakage. Open-source information includes social networking sites and code-sharing platforms and repositories. Examples of organizational information include personally identifiable information retained by the organization or proprietary information generated by the organization.

CIA Levels
Confidentiality	unknown
Integrity	unknown
Availability	unknown

Overlays
DAF Baseline

CSF Categories
DE.CM-3, PR.DS-5, PR.PT-1

Related Controls

The controls below (if any) were marked by NIST as being related to AU-13.

Control	Description
AC-22	a: Designate individuals authorized to make information publicly accessible; b: Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information; c: Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not included; and d: Review the content on the publicly accessible system for nonpublic information [the frequency at which to review the content on the publicly accessible system for non-public information is defined;] and remove such information, if discovered.
PE-3	a: Enforce physical access authorizations at [entry and exit points to the facility in which the system resides are defined;] by: 1: Verifying individual access authorizations before granting access to the facility; and 2: Controlling ingress and egress to the facility using [one or more of "{{ insert: param, pe-03_odp.03 }} "/"guards"]; b: Maintain physical access audit logs for [entry or exit points for which physical access logs are maintained are defined;]; c: Control access to areas within the facility designated as publicly accessible by implementing the following controls: [physical access controls to control access to areas within the facility designated as publicly accessible are defined;]; d: Escort visitors and control visitor activity [circumstances requiring visitor escorts and control of visitor activity are defined;]; e: Secure keys, combinations, and other physical access devices; f: Inventory [physical access devices to be inventoried are defined;] every [frequency at which to inventory physical access devices is defined;] ; and g: Change combinations and keys [one of ] and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated.
PM-12	Implement an insider threat program that includes a cross-discipline insider threat incident handling team.
RA-5	a: Monitor and scan for vulnerabilities in the system and hosted applications [one of ] and when new vulnerabilities potentially affecting the system are identified and reported; b: Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: 1: Enumerating platforms, software flaws, and improper configurations; 2: Formatting checklists and test procedures; and 3: Measuring vulnerability impact; c: Analyze vulnerability scan reports and results from vulnerability monitoring; d: Remediate legitimate vulnerabilities [response times to remediate legitimate vulnerabilities in accordance with an organizational assessment of risk are defined;] in accordance with an organizational assessment of risk; e: Share information obtained from the vulnerability monitoring process and control assessments with [personnel or roles with whom information obtained from the vulnerability scanning process and control assessments is to be shared;] to help eliminate similar vulnerabilities in other systems; and f: Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned.
SC-7	a: Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system; b: Implement subnetworks for publicly accessible system components that are [one of "physically"/"logically"] separated from internal organizational networks; and c: Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.
SI-20	Embed data or capabilities in the following systems or system components to determine if organizational data has been exfiltrated or improperly removed from the organization: [the systems or system components with data or capabilities to be embedded are defined;].

Enhancements

The controls below (if any) add on to the requirements of AU-13.

Control	Description
AU-13(1)	Monitor open-source information and information sites using [automated mechanisms for monitoring open-source information and information sites are defined;].
AU-13(2)	Review the list of open-source information sites being monitored [the frequency at which to review the open-source information sites being monitored is defined;].
AU-13(3)	Employ discovery techniques, processes, and tools to determine if external entities are replicating organizational information in an unauthorized manner.

Related CCIs

The CCIs below are tied to AU-13.

CCI	Definition
CCI-001460	Monitor organization-defined open source information and/or information sites per organization-defined frequency for evidence of unauthorized disclosure of organizational information.
CCI-001461	Defines a frequency for monitoring open source information and/or information sites for evidence of unauthorized exfiltration or disclosure of organizational information.
CCI-001915	Defines the open source information and/or information sites to be monitored for evidence of unauthorized exfiltration or disclosure of organizational information.
CCI-003837	If an information disclosure is discovered, notify organization-defined personnel or roles.
CCI-003838	Defines the personnel or roles to be notified if an information disclosure is discovered.
CCI-003839	If an information disclosure is discovered, take organization-defined additional actions.
CCI-003840	Defines the additional actions to be taken if an information disclosure is discovered.