Navigate

SI-7 (7)

SI-7 (7): Integration Of Detection And Response

The organization incorporates the detection of unauthorized [Assignment: organization-defined security-relevant changes to the information system] into the organizational incident response capability.

Supplemental

This control enhancement helps to ensure that detected events are tracked, monitored, corrected, and available for historical purposes. Maintaining historical records is important both for being able to identify and discern adversary actions over an extended period of time and for possible legal actions. Security-relevant changes include, for example, unauthorized changes to established configuration settings or unauthorized elevation of information system privileges.

CIA Levels
Confidentiality	unknown
Integrity	moderate
Availability	unknown

Overlays
None

Related Controls

The controls below (if any) were marked by NIST as being related to SI-7 (7).

Control	Description
IR-4	The organization: IR-4a.: Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery; IR-4b.: Coordinates incident handling activities with contingency planning activities; and IR-4c.: Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implements the resulting changes accordingly.
IR-5	The organization tracks and documents information system security incidents.
SI-4	The organization: SI-4a.: Monitors the information system to detect: SI-4a.1.: Attacks and indicators of potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; and SI-4a.2.: Unauthorized local, network, and remote connections; SI-4b.: Identifies unauthorized use of the information system through [Assignment: organization-defined techniques and methods]; SI-4c.: Deploys monitoring devices: SI-4c.1.: Strategically within the information system to collect organization-determined essential information; and SI-4c.2.: At ad hoc locations within the system to track specific types of transactions of interest to the organization; SI-4d.: Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion; SI-4e.: Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information; SI-4f.: Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and SI-4g.: Provides [Assignment: organization-defined information system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]].

Enhancements

The controls below (if any) add on to the requirements of SI-7 (7).

Control	Description
No controls

Related CCIs

The CCIs below are tied to SI-7 (7).

CCI	Definition
CCI-002719	The organization defines the unauthorized security-relevant changes to the information system that are to be incorporated into the organizational incident response capability.
CCI-002720	The organization incorporates the detection of unauthorized organization-defined security-relevant changes to the information system into the organizational incident response capability.