GASP: AICF

Search controls

Search by control ID, name or domain

MON-005 Security Monitoring and Alerting

Tier 2+

Description

Production systems are monitored for anomalous behaviour, security events, and indicators of compromise. Alerts are generated for defined threat scenarios and reviewed by a responsible team within defined SLAs. Alert thresholds, suppression rules, and escalation paths are documented.

Rationale

Logs without active review provide no detection capability. Structured alerting with documented response paths transforms log data into a real-time security control.

Framework Mappings (7)

CSA CCM v4.1
LOG-03Security Monitoring and Alertingfull
LOG-05Audit Logs Monitoring and Responsefull
LOG-14Failures and Anomalies Reportingfull
ISO/IEC 27001:2022
8.16Monitoring activitiesfull
NIST SP 800-53 Rev 5
AU-6Audit Record Review, Analysis, and Reportingfull
SI-4System Monitoringfull
SOC 2
CC7.2Monitors System Components for Anomalous Behaviorfull

Evidence (2)

configurationautomated

SIEM alert rule configuration showing defined detection rules for threat scenarios, with documented alert thresholds, suppression rules, and escalation paths.

Example: SIEM detection rule library export (e.g., Splunk saved searches, Elastic SIEM rules, Sentinel analytics rules) showing rule names, trigger conditions, severity assignments, and assigned response queues

Test: Export the SIEM detection rule configuration. Verify: (1) rules exist for core threat scenarios (brute force, privilege escalation, impossible travel, data exfiltration indicators, configuration change); (2) each rule has a defined severity, escalation path, and assigned response owner; (3) suppression and tuning rules are documented and reviewed; (4) the rule set was last reviewed within the defined interval.

logautomated

Alert queue records showing security monitoring alerts were reviewed and actioned within defined SLAs.

Example: Ticketing system (Jira, PagerDuty, or equivalent) records of SIEM-generated alerts for the preceding 30 days, showing alert type, creation time, acknowledgement time, and resolution time

Test: Query the alert queue or incident ticketing system for SIEM-generated alerts in the last 30 days. Verify: (1) alerts were acknowledged within the defined SLA for each severity level; (2) each alert has a documented triage decision; (3) calculate the percentage of alerts meeting the response SLA and confirm it is at or above the defined threshold.

Questions (3)

boolean

Are production systems monitored for anomalous behaviour and indicators of compromise, with alerts generated for defined threat scenarios and reviewed within defined SLAs?

Active monitoring requires both configured detection rules and a team responsible for reviewing and responding to alerts. Logs without active review provide no detection capability.

multi

Which threat scenarios are covered by active detection rules in your SIEM or monitoring platform?

Brute force and credential stuffing attacksPrivilege escalation or unusual privilege useImpossible travel or authentication from anomalous locationsIndicators of data exfiltration (e.g. large data exports, unusual API query volumes)Configuration changes to security controlsMalware or suspicious process execution on endpointsLateral movement indicators

The first four categories are minimum expected coverage for a SaaS provider. All seven indicate a mature detection programme.

select

What is the defined SLA for acknowledging and triaging high severity security monitoring alerts?

Within 15 minutes (24/7 on-call coverage)Within 1 hour (24/7 on-call coverage)Within 4 hours (business hours coverage)Within 24 hoursNo defined SLA for alert triage

24/7 coverage with a 1-hour or faster acknowledgement SLA is the expectation for high severity alerts in a production environment.