Has your organization established and maintained a baseline of network operations and expected data flows for users and systems?
Explanation
Network baselining is what's being examined here, namely whether you have established and maintained a baseline of normal network operations and expected data flows for users and systems.
A network baseline defines what constitutes 'normal' traffic, connections, and system behaviors across your environment, enabling more effective identification of potential security events when deviations occur.As evidence, you could provide network baseline documentation that includes network topology diagrams, expected data flow mappings between systems, normal traffic volume patterns, authorized communication protocols, and standard user activity profiles.
This documentation should be regularly reviewed and updated to reflect changes in your environment.
Context
- Function
- DE: DETECT
- Category
- DE.AE: Adverse Event Analysis
- Sub-Category
- A baseline of network operations and expected data flows for users and systems is established and managed
Related questions
- Does your organization use SIEM or similar tools to continuously monitor log events for malicious and suspicious activity?
- Does your organization integrate current cyber threat intelligence feeds into your log analysis and monitoring tools?
- Does your organization conduct regular manual reviews of log events for systems that cannot be adequately monitored through automated means?
- Does your organization utilize log analysis tools to generate actionable reports from log data?
- Does your organization centralize log data by continuously transferring logs from multiple sources to a consolidated set of log servers?
- Does your organization implement event correlation technology (such as SIEM) to aggregate and analyze security events from multiple sources?

