Skip to main content
← All controls
DE.CM-7 / IR-4 / CIS-8.11 NIST CSF v1.1 NIST CSF

Who monitors security alerts and how often?

Demonstrate that the organization has documented and operationalized specific personnel assignments and defined intervals for monitoring security alerts across all in-scope security systems.

Description

What this control does

This control establishes accountability and timeliness for security alert monitoring by defining named individuals or roles responsible for reviewing alerts and specifying monitoring frequencies (continuous, hourly, daily, etc.). It ensures alerts from SIEM, IDS/IPS, EDR, firewalls, and other security tools are actively reviewed rather than merely collected. Without defined ownership and cadence, critical alerts remain unacknowledged, enabling attackers to persist undetected during the window between alert generation and human response.

Control objective

What auditing this proves

Demonstrate that the organization has documented and operationalized specific personnel assignments and defined intervals for monitoring security alerts across all in-scope security systems.

Associated risks

Risks this control addresses

  • Unattended critical alerts allow ransomware, lateral movement, or data exfiltration to proceed uninterrupted for hours or days
  • Role ambiguity causes alert fatigue or bystander effect where multiple staff assume someone else is monitoring
  • Infrequent monitoring (e.g., weekly reviews) permits adversaries to complete attack chains before detection
  • Lack of 24/7 coverage allows attackers to exploit off-hours and weekend gaps when no personnel are assigned
  • Alert queues overwhelm single responders, causing triage delays and missed high-severity incidents
  • Undefined monitoring frequencies prevent SLA enforcement and accountability during incident retrospectives
  • Staffing changes or vacations create monitoring gaps when backup assignments are undocumented

Testing procedure

How an auditor verifies this control

  1. Obtain the current security monitoring procedure, runbook, or operational playbook that designates alert monitoring responsibilities.
  2. Identify all security alert sources in scope (SIEM, EDR, IDS/IPS, CASB, firewall, cloud security tools) via system inventory or architecture diagrams.
  3. Review role assignments (individual names, job titles, or on-call rotation schedules) documented for each alert source.
  4. Verify documented monitoring frequencies (real-time, hourly, per-shift, daily) aligned to alert severity tiers.
  5. Select a two-week sample period and obtain monitoring logs, ticket creation timestamps, or SIEM access logs showing actual review activity.
  6. Interview at least two assigned personnel to confirm their understanding of monitoring scope, escalation paths, and shift handoff procedures.
  7. Compare documented monitoring schedules against actual alert acknowledgment timestamps to identify coverage gaps or delays exceeding defined intervals.
  8. Test one weekend or off-hours period within the sample to verify 24/7 coverage if the organization claims continuous monitoring capability.
Evidence required Collect the security operations procedure document listing monitoring roles and frequencies; SIEM or ticket system access logs showing login timestamps and alert review activity; on-call rotation schedules or shift calendars covering the audit sample period; screenshots of alert dashboards with acknowledgment timestamps; interview notes confirming personnel awareness of assignments; and incident escalation records demonstrating timely handoff when monitoring thresholds are breached.
Pass criteria All in-scope security alert sources have documented personnel or roles assigned with defined monitoring frequencies, and sampled logs demonstrate adherence to those frequencies with no gaps exceeding the documented intervals during business hours and declared coverage windows.