Navigate

SI-4 (5)

SI-4 (5): System-Generated Alerts

The information system alerts [Assignment: organization-defined personnel or roles] when the following indications of compromise or potential compromise occur: [Assignment: organization-defined compromise indicators].

Supplemental

Alerts may be generated from a variety of sources, including, for example, audit records or inputs from malicious code protection mechanisms, intrusion detection or prevention mechanisms, or boundary protection devices such as firewalls, gateways, and routers. Alerts can be transmitted, for example, telephonically, by electronic mail messages, or by text messaging. Organizational personnel on the notification list can include, for example, system administrators, mission/business owners, system owners, or information system security officers.

CIA Levels
Confidentiality	low
Integrity	low
Availability	low

Overlays
None

Related Controls

The controls below (if any) were marked by NIST as being related to SI-4 (5).

Control	Description
AU-5	The information system: AU-5a.: Alerts [Assignment: organization-defined personnel or roles] in the event of an audit processing failure; and AU-5b.: Takes the following additional actions: [Assignment: organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)].
PE-6	The organization: PE-6a.: Monitors physical access to the facility where the information system resides to detect and respond to physical security incidents; PE-6b.: Reviews physical access logs [Assignment: organization-defined frequency] and upon occurrence of [Assignment: organization-defined events or potential indications of events]; and PE-6c.: Coordinates results of reviews and investigations with the organizational incident response capability.

Control

Description

AU-5

The information system:

AU-5a.: Alerts [Assignment: organization-defined personnel or roles] in the event of an audit processing failure; and

AU-5b.: Takes the following additional actions: [Assignment: organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)].

PE-6

The organization:

PE-6a.: Monitors physical access to the facility where the information system resides to detect and respond to physical security incidents;

PE-6b.: Reviews physical access logs [Assignment: organization-defined frequency] and upon occurrence of [Assignment: organization-defined events or potential indications of events]; and

PE-6c.: Coordinates results of reviews and investigations with the organizational incident response capability.

Enhancements

The controls below (if any) add on to the requirements of SI-4 (5).

Control	Description
No controls

Related CCIs

The CCIs below are tied to SI-4 (5).

CCI	Definition
CCI-001264	The organization defines indicators of compromise or potential compromise to the security of the information system which will result in information system alerts being provided to organization-defined personnel or roles.
CCI-002663	The organization defines the personnel or roles to receive information system alerts when organization-defined indicators of compromise or potential compromise occur.
CCI-002664	The information system alerts organization-defined personnel or roles when organization-defined compromise indicators reflect the occurrence of a compromise or a potential compromise.