Does your organization actively monitor logs from logical access control systems to identify unusual access patterns and failed access attempts?
Explanation
Monitoring access control logs helps detect potential security incidents such as unauthorized access attempts, credential theft, or insider threats. By analyzing patterns in authentication logs, organizations can identify suspicious activities like login attempts outside business hours, multiple failed logins, or access from unusual locations.
Evidence could include screenshots of log monitoring dashboards, alert configurations from a SIEM system, documented procedures for log review, or sample reports showing identified anomalies and corresponding incident response actions.
Implementation Example
Monitor logs from logical access control systems to find unusual access patterns and failed access attempts
ID: DE.CM-03.281
Context
- Function
- DE: DETECT
- Category
- DE.CM: Continuous Monitoring
- Sub-Category
- Personnel activity and technology usage are monitored to find potentially adverse events
Related questions
- Does your organization have a system in place to monitor DNS, BGP, and other critical network services for suspicious or malicious activities?
- Does your organization implement network monitoring controls to detect and alert on unauthorized endpoint connections to both wired and wireless networks?
- Does your organization have a process to regularly monitor facilities for unauthorized or rogue wireless networks?
- Does your organization regularly compare actual network traffic flows against established baselines to detect and investigate deviations?
- Does your organization continuously monitor network communications to detect changes in security postures as part of a zero trust architecture?
- Does your organization monitor physical access control logs for unusual patterns and failed access attempts?

