NIST_CSF_2_0_Audit_Checklist_Part_4_Detect__1724832771

The NIST CSF 2.0 Audit Checklist outlines a comprehensive framework for organizations to monitor and analyze potential cybersecurity threats and adverse events across various categories, including continuous monitoring, adverse event analysis, and incident declaration. It includes specific audit questions to assess compliance and effectiveness of monitoring systems, procedures for responding to incidents, and integration of threat intelligence. The checklist aims to enhance the organization's overall security posture by ensuring thorough monitoring and timely response to potential threats.

Uploaded by

8w24rr4kgh

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

15 views9 pages

NIST_CSF_2_0_Audit_Checklist_Part_4_Detect__1724832771

Uploaded by

8w24rr4kgh

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 9

NIST CSF 2.

0 AUDIT CHECKLIST
NIST CSF 2.0 AUDIT CHECKLIST

NIST CSF 2.0 Audit Checklist

DETECT (DE): Possible cybersecurity attacks and compromises are found and
Function analyzed
Continuous Monitoring (DE.CM): Assets are monitored to find anomalies, indicators
Category of compromise, and other potentially adverse events
Subcategory Audit Questionnaire Compliance Status
Continuous Monitoring 1. Does the organization have systems and
(DE.CM): Assets are processes in place to continuously monitor
monitored to find networks and network services for potentially
anomalies, indicators of adverse events?
compromise, and other 2. What tools or technologies are used for network
potentially adverse events monitoring (e.g., intrusion detection systems,
network traffic analyzers, log management tools)?
3. How does the organization define and identify
potentially adverse events in the context of
network monitoring?
4. Are there established baselines for normal
network behaviour, and how are deviations from
these baselines detected and investigated?
5. How frequently are network monitoring tools and
processes reviewed and updated to address new
threats or technologies?
6. Are there documented procedures for responding
to and investigating potentially adverse events
detected through network monitoring?
7. How are the results of network monitoring
communicated to relevant stakeholders within the
organization?
8. Does the organization monitor both internal and
external network traffic?
9. Are there mechanisms in place to correlate data
from different network monitoring tools to improve
threat detection capabilities?
10. How does the organization ensure that network
monitoring activities comply with relevant privacy
and data protection regulations?
DE.CM-02: The physical 1. Does the organization have systems and
environment is monitored processes in place to monitor the physical
to find potentially adverse environment for potentially adverse events?
events 2. What types of physical security controls are
monitored (e.g., access control systems,
surveillance cameras, environmental sensors)?
3. How does the organization define and identify
potentially adverse events in the context of
physical environment monitoring?
4. Are there established baselines for normal
physical environment conditions, and how are
deviations from these baselines detected and
investigated?
NIST CSF 2.0 AUDIT CHECKLIST

5. How frequently are physical monitoring systems

and processes reviewed and updated?
6. Are there documented procedures for responding
to and investigating potentially adverse events
detected through physical environment
monitoring?
7. How are the results of physical environment
monitoring communicated to relevant
stakeholders within the organization?
8. Does the organization integrate physical security
monitoring with cybersecurity monitoring efforts?
9. Are there mechanisms in place to ensure
continuous monitoring of critical physical areas,
even during power outages or other disruptions?
10. How does the organization ensure that physical
environment monitoring activities comply with
relevant privacy and labor regulations?
DE.CM-03: Personnel 1. Does the organization have systems and
activity and technology processes in place to monitor personnel activity
usage are monitored to and technology usage for potentially adverse
find potentially adverse events?
events 2. What types of personnel activities and technology
usage are monitored (e.g., login attempts, file
access, email usage, application usage)?
3. How does the organization define and identify
potentially adverse events in the context of
personnel activity and technology usage?
4. Are there established baselines for normal
personnel activity and technology usage, and how
are deviations from these baselines detected and
investigated?
5. How frequently are personnel activity and
technology usage monitoring systems and
processes reviewed and updated?
6. Are there documented procedures for responding
to and investigating potentially adverse events
detected through personnel and technology usage
monitoring?
7. How are the results of personnel activity and
technology usage monitoring communicated to
relevant stakeholders within the organization?
8. Does the organization have policies in place to
inform employees about monitoring activities and
ensure compliance with privacy regulations?
9. Are there mechanisms in place to detect and
investigate potential insider threats?
10. How does the organization balance the need for
monitoring with employee privacy concerns?
NIST CSF 2.0 AUDIT CHECKLIST

DE.CM-06: External 1. Does the organization have systems and

service provider activities processes in place to monitor the activities and
and services are services of external service providers for
monitored to find potentially adverse events?
potentially adverse events 2. What types of external service provider activities
and services are monitored?
3. How does the organization define and identify
potentially adverse events in the context of
external service provider activities?
4. Are there established baselines for normal
external service provider activities, and how are
deviations from these baselines detected and
investigated?
5. How frequently are external service provider
monitoring systems and processes reviewed and
updated?
6. Are there documented procedures for responding
to and investigating potentially adverse events
detected through external service provider
monitoring?
7. How are the results of external service provider
monitoring communicated to relevant
stakeholders within the organization?
8. Does the organization have agreements in place
with external service providers that allow for
monitoring of their activities?
9. Are there mechanisms in place to ensure that
external service providers comply with the
organization's security policies and standards?
10. How does the organization ensure that its
monitoring of external service providers complies
with relevant contractual and legal requirements?
DE.CM-09: Computing 1. Does the organization have systems and
hardware and software, processes in place to monitor computing
runtime environments, hardware, software, runtime environments, and
and their data are their data for potentially adverse events?
monitored to find 2. What specific aspects of computing hardware,
potentially adverse events software, runtime environments, and data are
monitored (e.g., system logs, application logs,
configuration changes, data access patterns)?
3. How does the organization define and identify
potentially adverse events in the context of these
IT assets?
4. Are there established baselines for normal
behaviour of computing hardware, software,
runtime environments, and data, and how are
deviations from these baselines detected and
investigated?
5. How frequently are monitoring systems and
processes for these IT assets reviewed and
updated?
NIST CSF 2.0 AUDIT CHECKLIST

6. Are there documented procedures for responding

to and investigating potentially adverse events
detected through monitoring of these IT assets?
7. How are the results of this monitoring
communicated to relevant stakeholders within the
organization?
8. Does the organization use automated tools for
monitoring and analyzing the behavior of
computing hardware, software, runtime
environments, and data?
9. Are there mechanisms in place to detect and
investigate potential malware infections,
unauthorized software installations, or
unauthorized changes to runtime environments?
10. How does the organization ensure that its
monitoring of computing hardware, software,
runtime environments, and data complies with
relevant privacy and data protection regulations?

Adverse Event Analysis (DE.AE): Anomalies, indicators of compromise, and other

Category potentially adverse events are analyzed to characterize the events and detect
cybersecurity incidents

Subcategory Audit Questionnaire Compliance Status

DE.AE-02: Potentially 1. Does the organization have a defined process for
adverse events are analyzing potentially adverse events?
analyzed to better 2. What criteria are used to identify and prioritize
understand associated potentially adverse events for analysis?
activities 3. How does the organization ensure that the
analysis of potentially adverse events is thorough
and timely?
4. What tools or technologies are used to support the
analysis of potentially adverse events?
5. Are there documented procedures for conducting
the analysis of potentially adverse events?
6. How does the organization capture and document
the findings from the analysis of potentially
adverse events?
7. Are there mechanisms in place to identify patterns
or trends across multiple potentially adverse
events?
8. How does the organization use the results of the
analysis to improve its overall security posture?
9. Are there clear roles and responsibilities assigned
for the analysis of potentially adverse events?
10. How does the organization's leadership ensure the
effectiveness of the analysis process for
potentially adverse events?
DE.AE-03: Information is 1. Does the organization have processes in place to
correlated from multiple correlate information from multiple sources when
sources analyzing cybersecurity events?
NIST CSF 2.0 AUDIT CHECKLIST

2. What types of information sources are used in the

correlation process (e.g., log files, network traffic
data, threat intelligence feeds)?
3. How does the organization ensure that the
information from different sources is accurately
and effectively correlated?
4. What tools or technologies are used to support the
correlation of information from multiple sources?
5. Are there documented procedures for correlating
and analyzing information from multiple sources?
6. How does the organization handle discrepancies
or conflicts in information from different sources?
7. Are there mechanisms in place to identify complex
or sophisticated attacks that may only be visible
when correlating multiple data sources?
8. How does the organization use the correlated
information to improve its detection and response
capabilities?
9. Are there clear roles and responsibilities assigned
for the correlation and analysis of information
from multiple sources?
DE.AE-04: The estimated 1. Does the organization have a process for
impact and scope of estimating the impact and scope of adverse
adverse events are events?
understood 2. What criteria or metrics are used to assess the
impact of adverse events (e.g., financial loss,
operational disruption, data compromise)?
3. How does the organization determine the scope of
adverse events, including affected systems, data,
and users?
4. Are there documented procedures for assessing
and documenting the impact and scope of
adverse events?
5. What tools or methodologies are used to support
the impact and scope assessment process?
6. How does the organization ensure that the impact
and scope assessments are accurate and
consistent across different types of adverse
events?
7. Are there mechanisms in place to update the
impact and scope assessments as new
information becomes available?
8. How does the organization use the impact and
scope assessments to prioritize its response and
recovery efforts?
9. Are there clear roles and responsibilities assigned
for assessing the impact and scope of adverse
events?
NIST CSF 2.0 AUDIT CHECKLIST

DE.AE-06: Information on 1. Does the organization have a process for providing

adverse events is information on adverse events to authorized staff
provided to authorized and tools?
staff and tools 2. How does the organization determine which staff
members and tools are authorized to receive
information on adverse events?
3. What types of information about adverse events
are shared with authorized staff and tools?
4. Are there mechanisms in place to ensure that
sensitive information about adverse events is
appropriately protected and shared only with
authorized parties?
5. How quickly is information about adverse events
made available to authorized staff and tools after
detection?
6. What communication channels or platforms are
used to share information about adverse events
with authorized staff and tools?
7. Are there procedures in place for escalating
information about critical or high-impact adverse
events to appropriate stakeholders?
8. How does the organization ensure that the
information provided about adverse events is
accurate, timely, and actionable?
9. Are there clear roles and responsibilities assigned
for managing and distributing information about
adverse events?
DE.AE-07: Cyber threat 1. Does the organization integrate cyber threat
intelligence and other intelligence and other contextual information into
contextual information its analysis of adverse events?
are integrated into the 2. What sources of cyber threat intelligence and
analysis contextual information does the organization use?
3. How does the organization ensure the reliability
and relevance of the threat intelligence and
contextual information it uses?
4. Are there processes in place to correlate threat
intelligence and contextual information with
observed adverse events?
5. How does the organization use threat intelligence
and contextual information to enhance its
understanding of potential threats and attack
patterns?
6. What tools or technologies are used to support the
integration of threat intelligence and contextual
information into the analysis process?
7. Are there mechanisms in place to update and
refine detection and analysis processes based on
new threat intelligence and contextual
information?
8. How does the organization measure the
effectiveness of integrating threat intelligence and
NIST CSF 2.0 AUDIT CHECKLIST

contextual information into its analysis

processes?
9. Are there clear roles and responsibilities assigned
for managing and integrating threat intelligence
and contextual information?
DE.AE-08: Incidents are 1. Does the organization have defined criteria for
declared when adverse declaring an incident based on adverse events?
events meet the defined 2. What factors are considered in the incident
incident criteria declaration criteria (e.g., impact, scope, severity,
type of assets affected)?
3. How are the incident declaration criteria
communicated to relevant staff members?
4. Are there documented procedures for evaluating
adverse events against the incident declaration
criteria?
5. How does the organization ensure consistency in
applying the incident declaration criteria across
different types of adverse events?
6. What is the process for declaring an incident once
the defined criteria are met?
7. Are there mechanisms in place to escalate
potential incidents to appropriate decision-
makers for declaration?
8. How quickly are incidents typically declared after
the criteria are met?
9. Are there clear roles and responsibilities assigned
for evaluating adverse events and declaring
incidents?
NIST CSF 2.0 AUDIT CHECKLIST

NIST CSF Checklist Part 3
100% (1)
NIST CSF Checklist Part 3
16 pages
EMAAR Standard Health Safety Environment Security Requirements - Rev 04 JUNE 2022
No ratings yet
EMAAR Standard Health Safety Environment Security Requirements - Rev 04 JUNE 2022
44 pages
NIST CSF 2 0 Audit Checklist Part 2 Identify ID 1716467086
100% (1)
NIST CSF 2 0 Audit Checklist Part 2 Identify ID 1716467086
15 pages
NIST CSF 2.0 Audit Checklist - Protect
100% (2)
NIST CSF 2.0 Audit Checklist - Protect
13 pages
CIS Controls v8 Mapping To ISACA COBIT 19 V21.10.spreadsheets
100% (1)
CIS Controls v8 Mapping To ISACA COBIT 19 V21.10.spreadsheets
88 pages
ISC-V1 2024 - Djvu
No ratings yet
ISC-V1 2024 - Djvu
450 pages
CISA Exam Prep Domain 5 - 2019
100% (2)
CISA Exam Prep Domain 5 - 2019
175 pages
NYS Cyber Security Toolkit
100% (1)
NYS Cyber Security Toolkit
112 pages
Cyber Security Checklist
No ratings yet
Cyber Security Checklist
54 pages
CIS_Controls_v8_Mapping_to_CSF_2.0__February_2024_
No ratings yet
CIS_Controls_v8_Mapping_to_CSF_2.0__February_2024_
100 pages
CIS Controls v8 Mapping To UK NCSC Cyber Assessment Framework v3.1 - 8-16-2022
No ratings yet
CIS Controls v8 Mapping To UK NCSC Cyber Assessment Framework v3.1 - 8-16-2022
115 pages
8.4. NGO IT Audit Checklist
No ratings yet
8.4. NGO IT Audit Checklist
25 pages
NRC INSPECTION MANUAL-ML21064A100 (Draft)
No ratings yet
NRC INSPECTION MANUAL-ML21064A100 (Draft)
17 pages
Cybersecurity-Audit-Program-NIST-Cybersecurity-Framework-2
No ratings yet
Cybersecurity-Audit-Program-NIST-Cybersecurity-Framework-2
19 pages
CIS Controls v8 Mapping To SOC2 Final 08-19-2021
No ratings yet
CIS Controls v8 Mapping To SOC2 Final 08-19-2021
105 pages
Cynet - Cyber Defense Matrix
No ratings yet
Cynet - Cyber Defense Matrix
18 pages
Module 9 LOCAL ICT POLICIES
No ratings yet
Module 9 LOCAL ICT POLICIES
24 pages
Datacenter Audit
100% (3)
Datacenter Audit
5 pages
Cyber Security Cookbook For Practitioner
No ratings yet
Cyber Security Cookbook For Practitioner
18 pages
NIST Audit Checklist
No ratings yet
NIST Audit Checklist
9 pages
Cyber Sec Framework
No ratings yet
Cyber Sec Framework
17 pages
Physical and Environmental Audit Checklist
100% (1)
Physical and Environmental Audit Checklist
4 pages
3 How To Use The CSF Profile For CVE
No ratings yet
3 How To Use The CSF Profile For CVE
21 pages
X-8.00-SU-ContinuousMonitoringPolicy
No ratings yet
X-8.00-SU-ContinuousMonitoringPolicy
6 pages
4 Operations Security
No ratings yet
4 Operations Security
69 pages
Nist+Domain+Roles
No ratings yet
Nist+Domain+Roles
8 pages
Electronics: Experimental Cyber Attack Detection Framework
No ratings yet
Electronics: Experimental Cyber Attack Detection Framework
30 pages
Datacenter Checklist
No ratings yet
Datacenter Checklist
7 pages
Incident Response. Computer Forensics Toolkit All
No ratings yet
Incident Response. Computer Forensics Toolkit All
13 pages
one two
No ratings yet
one two
96 pages
Evidence of NIST Compliance
No ratings yet
Evidence of NIST Compliance
42 pages
Information Security Risk Assessment Checklist
No ratings yet
Information Security Risk Assessment Checklist
7 pages
Function Category: Asset Management (AM) : The Personnel, Devices, Systems, and
No ratings yet
Function Category: Asset Management (AM) : The Personnel, Devices, Systems, and
21 pages
Presentation 1.3
No ratings yet
Presentation 1.3
15 pages
Tenable Csis Compliance Whitepaper
No ratings yet
Tenable Csis Compliance Whitepaper
22 pages
Contoh Audit Standard NISTcybersecurity Identify
No ratings yet
Contoh Audit Standard NISTcybersecurity Identify
3 pages
Datacenter Security Checklist
No ratings yet
Datacenter Security Checklist
9 pages
Data Center Security PDF 1671781870
No ratings yet
Data Center Security PDF 1671781870
9 pages
Assessment Checklist
No ratings yet
Assessment Checklist
7 pages
SIEM Use-Cases Pertaining To PCI DSS V3
No ratings yet
SIEM Use-Cases Pertaining To PCI DSS V3
6 pages
Network Security Proposal: Name Date
No ratings yet
Network Security Proposal: Name Date
17 pages
Cis - Lesson 4 Part 2
No ratings yet
Cis - Lesson 4 Part 2
6 pages
Nist CSF
No ratings yet
Nist CSF
7 pages
Lab15 Iao
No ratings yet
Lab15 Iao
3 pages
A cybersecurity evaluation tool for SMEs B
No ratings yet
A cybersecurity evaluation tool for SMEs B
2 pages
2010 EU Risk Managt Guide en
No ratings yet
2010 EU Risk Managt Guide en
110 pages
Preliminary Review
No ratings yet
Preliminary Review
6 pages
hlERrE3 Rae2Ey TCNZVGW - Applying The NIST CSF
No ratings yet
hlERrE3 Rae2Ey TCNZVGW - Applying The NIST CSF
3 pages
Network Security Monitoring Procedure
100% (1)
Network Security Monitoring Procedure
3 pages
SANS - Security Program Maturity Quick Start Guide v0.1
No ratings yet
SANS - Security Program Maturity Quick Start Guide v0.1
2 pages
Auditing in CIS Environment DISCUSSION16
No ratings yet
Auditing in CIS Environment DISCUSSION16
5 pages
No. Description Yes No N/A Access To Data Files Audit Objective
No ratings yet
No. Description Yes No N/A Access To Data Files Audit Objective
13 pages
CSF PDF v11.4.0
No ratings yet
CSF PDF v11.4.0
548 pages
M6-T1 Essay Questions
No ratings yet
M6-T1 Essay Questions
3 pages
Section 5: Incident Response: 1. Topic 1 Event Vs Incident
No ratings yet
Section 5: Incident Response: 1. Topic 1 Event Vs Incident
7 pages
Risk and Compliance mgt Induction PPT for BT
No ratings yet
Risk and Compliance mgt Induction PPT for BT
19 pages
CAR_CAMO Issue 1 dated 31 July 2024
No ratings yet
CAR_CAMO Issue 1 dated 31 July 2024
105 pages
Checklist
No ratings yet
Checklist
4 pages
2
No ratings yet
2
24 pages
Financial Services Cloud Salesforce Practice Questions
No ratings yet
Financial Services Cloud Salesforce Practice Questions
14 pages
Draft v0.1: Policy 191 - Incident Response Tools & Resources Checklist
No ratings yet
Draft v0.1: Policy 191 - Incident Response Tools & Resources Checklist
8 pages
Calculation of Thermal Bridges in Various European Countries
No ratings yet
Calculation of Thermal Bridges in Various European Countries
7 pages
Cs8078-Green Computing-195874937-Cs8078 GC All Units Merged
No ratings yet
Cs8078-Green Computing-195874937-Cs8078 GC All Units Merged
153 pages
India Employment Agreement 2025-05-02
No ratings yet
India Employment Agreement 2025-05-02
33 pages
Managing Microsoft Teams Android Devices
No ratings yet
Managing Microsoft Teams Android Devices
71 pages
Team6_FinalMarketing_Plan
No ratings yet
Team6_FinalMarketing_Plan
45 pages
18048
No ratings yet
18048
57 pages
EASA Part 145 is a regulation developed by the European Union Aviation Safety Agency report presentation
No ratings yet
EASA Part 145 is a regulation developed by the European Union Aviation Safety Agency report presentation
3 pages
Notification IDBI Bank Manager AGM DGM Posts
No ratings yet
Notification IDBI Bank Manager AGM DGM Posts
36 pages
Unit-5 Medical Informatics
No ratings yet
Unit-5 Medical Informatics
14 pages
BALABA ALLAN CORPORATE
No ratings yet
BALABA ALLAN CORPORATE
14 pages
McDirmit Davis Submittal RFP 2021 03pdf
No ratings yet
McDirmit Davis Submittal RFP 2021 03pdf
34 pages
Page
No ratings yet
Page
23 pages
Mom Project
No ratings yet
Mom Project
23 pages
Group 2 - Mis Report
No ratings yet
Group 2 - Mis Report
21 pages
Staff Assignment For General Assembly - Final
No ratings yet
Staff Assignment For General Assembly - Final
13 pages
Four Ciso Tribes and Where To Find Them: Gary Mcgraw, Ph.D. Sammy Migues Brian Chess, PH.D
No ratings yet
Four Ciso Tribes and Where To Find Them: Gary Mcgraw, Ph.D. Sammy Migues Brian Chess, PH.D
24 pages
Privacy and Incident Response
No ratings yet
Privacy and Incident Response
9 pages
Toolkit For CIO
No ratings yet
Toolkit For CIO
3 pages
AC-Charter
No ratings yet
AC-Charter
6 pages
Labor Notes (Pre-Employment)
No ratings yet
Labor Notes (Pre-Employment)
11 pages
Cryptocurrency Investment Research by Hushbot
No ratings yet
Cryptocurrency Investment Research by Hushbot
17 pages
Chapter 12 - Audits, Inspection and Investigation
No ratings yet
Chapter 12 - Audits, Inspection and Investigation
7 pages
Honeypot Systems and Techniques: Definitive Reference for Developers and Engineers
From Everand
Honeypot Systems and Techniques: Definitive Reference for Developers and Engineers
Richard Johnson
No ratings yet
Study Guide - 300-215 CBRFIR: Conducting Forensic Analysis and Incident Response Using Cisco Technologies for CyberSecurity Exam
From Everand
Study Guide - 300-215 CBRFIR: Conducting Forensic Analysis and Incident Response Using Cisco Technologies for CyberSecurity Exam
Anand Vemula
No ratings yet
Managing Modern Security Operations Center & Building Perfect Career as SOC Analyst
From Everand
Managing Modern Security Operations Center & Building Perfect Career as SOC Analyst
Publicancy Ltd
No ratings yet
Sentry Error Monitoring and Application Observability: Definitive Reference for Developers and Engineers
From Everand
Sentry Error Monitoring and Application Observability: Definitive Reference for Developers and Engineers
Richard Johnson
No ratings yet
Cybersecurity Program and Policy using NIST Cybersecurity Framework: NIST Cybersecurity Framework (CSF), #2
From Everand
Cybersecurity Program and Policy using NIST Cybersecurity Framework: NIST Cybersecurity Framework (CSF), #2
Bruce Brown, CISSP
No ratings yet
Ethical Hacking Basics for New Coders: A Practical Guide with Examples
From Everand
Ethical Hacking Basics for New Coders: A Practical Guide with Examples
William E. Clark
No ratings yet
Autonomic Networking: Fundamentals and Applications
From Everand
Autonomic Networking: Fundamentals and Applications
Fouad Sabry
No ratings yet