| | Brief description of the monitoring used and the alerting processes | Devices to pull log data from in order to satisfy the monitoring rule. | Frequency of the log data collection | At least two ways this monitor could be tested to validate any false positives or negatives |
| Asset Inventory of Authorized and Unauthorized Devices | Reduces the ability of attackers to find and exploit unauthorized and unprotected systems. Uses active monitoring and configuration management to maintain an up-to-date inventory of devices connected to the business network, including servers, workstations, laptops, and remote devices. | Spiceworks, Colasoft MAC Scanner, or Angry IP Scanner | Monthly | Physical device search, Mac address search, or port ping search |
| Software Inventory of Authorized and Unauthorized Devices | Identify vulnerable or malicious software to mitigate or root out attacks. Devise a list of authorized software for each type of system, and deploy tools to track software installed. Require administrative login for all software. | CIS Controls or Spiceworks | Monthly | Physical device search or Administrative login approval |
| Malware Defenses | Block malicious code from tampering with system settings or contents, capturing sensitive data, or spreading. Use automated anti-virus and anti-spyware software to continuously monitor and protect workstations, servers, and mobile devices. | AVG Business Internet Security or Total AV. If running Windows then Windows Defender | Real Time | Real time and Weekly scans of all devices. Montoring rules set in place for all incoming and outgoing data. |
| Boundary Defense | Control the flow of traffic through network borders, and police content by looking for attacks and evidence of compromised machines. | Firewalls, Proxies, and various network tools. | Weekly | Regular scans from outside the trusted network boundary and remote logging into organization network. |
| Controlled use of Administrative Privileges | Protect and validate administrative accounts on desktops, laptops, and servers by running security audits on all devices connected to the network. | Admin workstation, Admin devices for work, and server | Quarterly | Use audit software and physically check all device log files. |