Does your organization have a process to monitor software configurations for deviations from established security baselines?
Explanation
Security baselines define the approved, secure configuration settings for software systems. Monitoring for deviations helps identify unauthorized changes, misconfigurations, or security drift that could introduce vulnerabilities. This includes monitoring changes to operating systems, applications, databases, network devices, and cloud services against their documented secure configurations.
Evidence could include configuration management reports, automated scanning results from tools like Tripwire or Nessus that compare current configurations against baselines, change management logs showing detection and remediation of unauthorized deviations, or dashboard screenshots from security configuration assessment tools.
Implementation Example
Monitor software configurations for deviations from security baselines
ID: DE.CM-09.287
Context
- Function
- DE: DETECT
- Category
- DE.CM: Continuous Monitoring
- Sub-Category
- Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events
Related questions
- Does your organization have a system in place to monitor DNS, BGP, and other critical network services for suspicious or malicious activities?
- Does your organization implement network monitoring controls to detect and alert on unauthorized endpoint connections to both wired and wireless networks?
- Does your organization have a process to regularly monitor facilities for unauthorized or rogue wireless networks?
- Does your organization regularly compare actual network traffic flows against established baselines to detect and investigate deviations?
- Does your organization continuously monitor network communications to detect changes in security postures as part of a zero trust architecture?
- Does your organization monitor physical access control logs for unusual patterns and failed access attempts?

