Reports actually reviewed by SecOps
Demonstrate that security monitoring reports are systematically reviewed by Security Operations staff, with documented evidence of analysis, triage, and responsive action within established service level agreements.
Description
What this control does
This control ensures that security monitoring reports generated by SIEM, IDS/IPS, vulnerability scanners, and other detection tools are actively reviewed by qualified Security Operations personnel within defined timeframes. It addresses the gap between automated alert generation and human analysis, requiring evidence that reports are opened, analyzed, and actioned rather than simply archived. The control typically includes documentation of review activities, analyst acknowledgment, case creation for findings, and escalation procedures for critical items.
Control objective
What auditing this proves
Demonstrate that security monitoring reports are systematically reviewed by Security Operations staff, with documented evidence of analysis, triage, and responsive action within established service level agreements.
Associated risks
Risks this control addresses
- Security incidents remain undetected despite alerts being generated, allowing attackers persistent access or lateral movement
- Compliance violations or data exfiltration go unnoticed due to unreviewed log analysis reports
- High-priority vulnerability scan findings are not remediated because reports are auto-filed without human review
- Alert fatigue leads to critical threat indicators being ignored among thousands of unexamined notifications
- Insider threats succeed because user behavior analytics reports are generated but never analyzed
- Regulatory penalties result from failure to demonstrate active monitoring during breach investigations
- Security tooling investments provide no actual risk reduction because outputs are never consumed by analysts
Testing procedure
How an auditor verifies this control
- Obtain the list of all automated security monitoring tools configured to generate scheduled or threshold-based reports (SIEM, IDS/IPS, DLP, vulnerability scanners, UEBA, EDR platforms).
- Request the defined review procedures including assigned roles, review frequency requirements, and maximum time-to-review SLAs for each report type.
- Select a representative sample of 15-20 security reports spanning at least three monitoring tools and covering the most recent 30-day period.
- For each sampled report, retrieve audit logs from the report delivery system showing access timestamps, user identities, and duration of access.
- Cross-reference report access logs with ticketing system records to verify that findings resulted in documented cases, investigations, or remediation tasks.
- Interview 2-3 Security Operations analysts to validate their review process, ask them to demonstrate navigation of recent reports, and confirm their understanding of escalation thresholds.
- Compare actual review timestamps against defined SLAs to identify any reports that exceeded maximum review timeframes without documented exception approval.
- Verify that critical or high-severity findings from sampled reports have corresponding incident tickets, change requests, or risk acceptance documentation created within the required timeframe.
Where this control is tested