Does your organization utilize automated tools or systems to continuously evaluate compliance with your established cybersecurity requirements?
Explanation
Automated compliance monitoring tools can continuously scan systems, networks, and applications to verify adherence to security policies, standards, and regulatory requirements without manual intervention. These solutions can include security information and event management (SIEM) systems, compliance scanning tools, configuration management databases, or custom scripts that regularly check system settings against baselines.
Evidence could include screenshots of compliance dashboards showing automated scanning results, reports generated by compliance monitoring tools, documentation of automated alert configurations, or logs showing remediation actions taken based on automated findings.
Implementation Example
Constantly evaluate compliance with selected cybersecurity requirements through automated means
ID: ID.IM-01.179
Context
- Function
- ID: IDENTIFY
- Category
- ID.IM: Improvement
- Sub-Category
- Improvements are identified from evaluations
Related questions
- Does your organization regularly conduct self-assessments of critical services that incorporate current threat intelligence and adversary tactics, techniques, and procedures (TTPs)?
- Has your organization conducted third-party assessments or independent audits of your cybersecurity program within the past 12 months?
- Does your organization have a process to identify and implement improvements to incident response procedures based on findings from exercises, tests, and reviews?
- Does your organization have a formal process to identify and implement improvements to business continuity, disaster recovery, and incident response plans based on exercises conducted with critical service providers and suppliers?
- Does your organization involve internal stakeholders (such as senior executives, legal, and HR) in security tests and exercises?
- Does your organization conduct penetration testing on high-risk systems with leadership approval?

