SI-4(11)—System Monitoring | Analyze Communications Traffic Anomalies

IL4 High

IL5

IL6

>Control Description

Analyze outbound communications traffic at the external interfaces to the system and selected ⚙organization-defined interior points within the system to discover anomalies.

>DoD Impact Level Requirements

No specific parameter values or requirements for this impact level.

>Discussion

Organization-defined interior points include subnetworks and subsystems. Anomalies within organizational systems include large file transfers, long-time persistent connections, attempts to access information from unexpected locations, the use of unusual protocols and ports, the use of unmonitored network protocols (e.g., IPv6 usage during IPv4 transition), and attempted communications with suspected malicious external addresses.

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

•What policies and procedures govern analyze communications traffic anomalies?
•Who is responsible for monitoring system and information integrity?
•How frequently are integrity monitoring processes reviewed and updated?

Technical Implementation:

•What technical controls detect and respond to analyze communications traffic anomalies issues?
•How are integrity violations identified and reported?
•What automated tools support system and information integrity monitoring?
•What anti-malware solutions are deployed and how are they configured?
•What systems and events are monitored for integrity violations?

Evidence & Documentation:

•Can you provide recent integrity monitoring reports or alerts?
•What logs demonstrate that SI-4(11) is actively implemented?
•Where is evidence of integrity monitoring maintained and for how long?
•Can you show recent malware detection reports and response actions?
•Can you provide examples of integrity monitoring alerts and responses?

Ask AI

Configure your API key to use AI features.