Event Monitoring and Analysis Brick

Vulnerability Analysis. Internet-based attack tools are becoming increasingly sophisticated and increasingly easy to use. NIH's network could contain vulnerabilities that attackers can exploit to gain access, even when NIH has secured the network perimeter with firewalls and intrusion detection systems. In order to proactively find and plug such holes NIH will require the use of both vulnerability assessment products and vulnerability assessment services.

System Monitoring and Logging. Identifying and reacting to security incidents in real-time requires comprehensive system and network monitoring, Furthermore the ability to aggregate alarms and other information from disparate systems is necessary to correlate events and identify an incident.

• Tactical and strategic products were selected to leverage NIH's investment in products that are a proven fit for NIH's known future needs. Leveraging baseline products in the future will minimize the operations, maintenance, support and training costs of new products.
• Some baseline products have been designated retirement and containment. These products are either not as widely or successfully deployed at NIH, or they do not provide as much functionality, value, or Total Cost of Ownership as the selected tactical and strategic products

Relevant Standards

• ISO/IEC 10164-4 System Management: Alarm Reporting Function
• ISO/IEC 10164-5 System Management: Event Report Management Function
• ISO/IEC 10164-7 System Management: Security Alarm Reporting Function
• ISO/IEC 10164-8 System Management: Security Audit Trail Function

Relevant Policies

• CIT Security Handbook
• Glossary of NIH Incident Handling Terms
• Limited Authorized Personal Use of NIH Information Technology (IT) Resources
• NIH Incident Handling Guidelines
• NIH Incident Handling Procedures Text and Diagram
• DHHS Establishing an Incident Response Capability OMB Circular A-130
• OMB Circular A-130