Alerts triaged 24x7
Demonstrate that security alerts from detection systems are acknowledged, assessed, and prioritized by qualified personnel on a continuous basis without gaps in coverage.
Description
What this control does
Alerts triaged 24x7 requires an organization to staff a security operations capability continuously, ensuring that security monitoring tools generate alerts that are acknowledged, categorized, and prioritized at all hours, including weekends and holidays. This control establishes a follow-the-sun or shift-based Security Operations Center (SOC) model that evaluates incoming alerts from SIEM, EDR, IDS/IPS, and other detection systems to determine severity, assign incident handlers, and initiate response workflows without delay. Continuous triage prevents alerts from accumulating unreviewed, reduces dwell time for active threats, and ensures time-sensitive incidents receive immediate attention regardless of when they occur.
Control objective
What auditing this proves
Demonstrate that security alerts from detection systems are acknowledged, assessed, and prioritized by qualified personnel on a continuous basis without gaps in coverage.
Associated risks
Risks this control addresses
- Critical alerts occurring outside business hours remain unacknowledged for extended periods, allowing attackers to establish persistence or exfiltrate data undetected
- Weekend or holiday breaches go unnoticed until the next business day, increasing attacker dwell time and expanding the blast radius of compromise
- Threat actors deliberately launch attacks during off-hours to exploit known gaps in monitoring coverage and response capability
- High-volume alert storms during off-peak hours overwhelm on-call responders who lack adequate shift coverage, causing critical alerts to be missed or deprioritized
- Ransomware deployment initiated late Friday proceeds unimpeded through the weekend, allowing full encryption of production systems before Monday discovery
- Regulatory or contractual breach notification deadlines are violated due to delayed detection and triage during non-business hours
- Alert fatigue and burnout among on-call staff lead to superficial triage or missed indicators when staffing is inadequate for continuous operations
Testing procedure
How an auditor verifies this control
- Obtain the current SOC staffing schedule, shift roster, and on-call rotation documentation covering a representative 30-day period including weekends and holidays
- Interview SOC management to understand escalation procedures, handoff protocols between shifts, and backup coverage arrangements for absences or high-alert scenarios
- Select a random sample of 20-30 security alerts spanning all hours of operation (including nights, weekends, and at least one recognized holiday) from the past 90 days
- For each sampled alert, extract timestamps for alert generation, initial acknowledgment, triage completion, and severity assignment from the SIEM or ticketing system
- Calculate the time-to-acknowledgment and time-to-triage for each sampled alert and identify any alerts that exceeded defined SLA thresholds or remained unacknowledged for more than the maximum allowable period
- Review audit logs or system records showing active analyst sessions during off-hours periods to verify physical or logical presence of triage personnel during sampled alert windows
- Request and review documentation of any coverage gaps, staffing incidents, or alert backlogs during the audit period, including root cause analysis and remediation actions taken
- Verify that triage quality metrics (correct severity assignment, appropriate escalation, actionable notes) are consistent across all shifts, not just primary business hours
Where this control is tested