NIST 800-171 - Security Event Handling (3.14.7)

Overview:
Identify unauthorized use of the information system.

Action Items:
3.14.7[a]
Determine if: authorized use of the system is defined.

3.14.7[b]
Determine if: unauthorized use of the system is identified.

POTENTIAL ASSESSMENT METHODS AND OBJECTS

1
Examine: Continuous monitoring strategy; system and information integrity policy; procedures addressing system monitoring tools and techniques; facility diagram/layout; system security plan; system design documentation; system monitoring tools and techniques documentation; locations within system where monitoring devices are deployed; system configuration settings and associated documentation; other relevant documents or records].

2
Interview: System or network administrators; personnel with information security responsibilities; personnel installing, configuring, and maintaining the system; personnel with responsibility for monitoring the system].

3
Test: Organizational processes for system monitoring; mechanisms supporting or implementing system monitoring capability].

Related Documents (document name and content will vary by organization):
1) Continuous monitoring strategy
2) system and information integrity policy
3) procedures addressing system monitoring tools and techniques
4) facility diagram/layout
5) system security plan
6) system design documentation
7) system monitoring tools and techniques documentation
8) locations within system where monitoring devices are deployed
9) system configuration settings and associated documentation
10) other relevant documents or records

Additional Guidance:
See discussion for 3.14.6.