RA.L3-3.11.3e Advanced Risk Identification
Employ advanced automation and analytics capabilities in support of analysts to predict and identify risks to organizations, systems, and system components.
Source: NIST SP 800-172 3.11.3e
Discussion: A properly resourced Security Operations Center (SOC) or Computer Incident Response Team (CIRT) may be overwhelmed by the volume of information generated by the proliferation of security tools and appliances unless it employs advanced automation and analytics to analyze the data. Advanced automation and predictive analytics capabilities are typically supported by artificial intelligence concepts and machine learning. Examples include Automated Workflow Operations, Automated Threat Discovery and Response (which includes broad-based collection, context-based analysis, and adaptive response capabilities), and machine-assisted decision tools. [SP 800-30] provides guidance on risk assessments and risk analyses.
Assessment Objectives:
Determine if:
- [a] Advanced automation and analytics capabilities to predict and identify risks to organizations, systems, and system components are identified;
- [b] Analysts to predict and identify risks to organizations, systems, and system components are identified; and
- [c] Advanced automation and analytics capabilities are employed in support of analysts to predict and identify risks to organizations, systems, and system components.
Examine: [SELECT FROM: System and information integrity policy; risk assessment policy; security planning policy and procedures; procedures addressing organizational assessments of risk; procedures addressing system monitoring; enterprise architecture documentation; system design documentation; system architecture and configuration documentation; system monitoring tools and techniques documentation; system configuration settings and associated documentation; system monitoring logs or records; system audit records; security plan; risk assessment artifacts; risk assessment results; risk assessment reviews; risk assessment updates; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel responsible for information security; organizational personnel responsible for risk assessments; risk analysts; system developers; organizational personnel installing, configuring, and/or maintaining the system; organizational personnel responsible for monitoring; system/network administrators].
Test: [SELECT FROM: Automated mechanisms supporting and/or implementing risk analytics capabilities; automated mechanisms supporting and/or implementing system monitoring capability; automated mechanisms supporting and/or implementing the discovery, collection, distribution, and use of indicators of compromise; automated mechanisms for conducting, documenting, reviewing, disseminating, and updating risk assessments].
SPRS Score: 1
POA&M Allowed: Yes