Skip to main content
NetStable
Level 2 SI.L2-3.14.7

Identify unauthorized use of organizational systems

What It Means Why It Matters How to Implement Evidence SSP Guidance Assessment Common Mistakes

📖 What This Means

This practice requires organizations to actively monitor and detect any unauthorized use of their systems. Unauthorized use can include employees accessing systems beyond their job responsibilities, external hackers gaining access, or even malware operating within the network. The goal is to identify these activities quickly to prevent data breaches or system compromises. For example, if an employee tries to access a restricted database without proper permissions, the system should flag this activity. Similarly, if an external attacker attempts to log in with stolen credentials, the system should detect and alert the security team. This practice is crucial for maintaining the integrity and security of organizational systems.

🎯 Why It Matters

Unauthorized use of systems can lead to significant security breaches, data loss, and reputational damage. For instance, the 2017 Equifax breach, where attackers exploited unauthorized access, resulted in the exposure of 147 million records and cost the company over $1.4 billion. In the defense sector, unauthorized access could compromise sensitive defense data, leading to national security risks. The DoD emphasizes this control to ensure that contractors can detect and respond to unauthorized activities promptly, protecting Controlled Unclassified Information (CUI). Failing to implement this control can result in severe financial penalties, loss of contracts, and damage to the organization's reputation.

How to Implement

  1. Enable logging and monitoring features in your cloud environment (e.g., AWS CloudTrail, Azure Monitor).
  2. Set up alerts for unusual login attempts or access patterns using cloud-native tools (e.g., AWS GuardDuty, Azure Security Center).
  3. Implement multi-factor authentication (MFA) for all user accounts to reduce the risk of unauthorized access.
  4. Regularly review access logs and audit trails to identify any unauthorized activities.
  5. Use role-based access control (RBAC) to ensure users only have access to necessary resources.
  6. Deploy intrusion detection systems (IDS) to monitor network traffic for suspicious activities.
  7. Conduct regular penetration testing to identify potential vulnerabilities that could be exploited.
⏱️
Estimated Effort
Implementation typically takes 2-4 weeks, depending on the complexity of the environment. Requires intermediate to advanced IT and security skills.

📋 Evidence Examples

Logs of unauthorized access attempts

Format: CSV/Log files
Frequency: Daily
Contents: Timestamp, User, IP Address, Action
Collection: Export from SIEM or logging system

Alert notifications

Format: Email/PDF
Frequency: As alerts occur
Contents: Description of alert, Severity, Actions taken
Collection: Export from monitoring tool

User account audit report

Format: PDF
Frequency: Quarterly
Contents: List of users, Permissions, Last login
Collection: Generate from Active Directory or equivalent

Penetration test report

Format: PDF
Frequency: Annually
Contents: Findings, Recommendations, Remediation status
Collection: Obtain from third-party tester

SIEM configuration documentation

Format: PDF
Frequency: As changes occur
Contents: Configuration settings, Alert rules, Log sources
Collection: Documented by security team

📝 SSP Guidance

Use this guidance when writing the System Security Plan (SSP) narrative for this control.

How to Write the SSP Narrative

For SI.L2-3.14.7 ("Identify unauthorized use of organizational systems"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe your system and information integrity controls, including patch management process, antivirus/EDR deployment, email gateway protection, SIEM monitoring, and application security measures. Be specific -- name your actual products, settings, and responsible personnel.

Example SSP Narratives

Cloud (Azure/AWS)

"SI.L2-3.14.7 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to identify unauthorized use of organizational systems. The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."

On-Premise

"SI.L2-3.14.7 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to identify unauthorized use of organizational systems. Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."

Hybrid

"SI.L2-3.14.7 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."

System Boundary Considerations

  • Identify all systems requiring patch management within the CUI boundary
  • Document EDR/AV coverage across endpoints and servers
  • Specify SIEM monitoring coverage and alert rules
  • Ensure this control covers all systems within your defined CUI boundary where identify unauthorized use of organizational systems applies
  • Document any systems where this control is not applicable and explain why

Key Documentation to Reference in SSP

  • 📄 System and Information Integrity Policy
  • 📄 Patch management reports
  • 📄 AV/EDR deployment records
  • 📄 SIEM alert configuration
  • 📄 Evidence artifacts specific to SI.L2-3.14.7
  • 📄 POA&M entry if control is not fully implemented

What the Assessor Looks For

The assessor will verify patch management SLAs are met, check AV/EDR deployment coverage (should be 100%), review SIEM alert rules and response times, and test that email gateway blocks malicious content.

💬 Self-Assessment Questions

Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.

Question 1: Do you have logging enabled for all critical systems?

✅ YES → Proceed to Q2
❌ NO → GAP: Enable logging on all critical systems and ensure logs are centralized.
Remediation:
Enable logging within 1 week.

Question 2: Are you monitoring logs for unauthorized access attempts?

✅ YES → Proceed to Q3
❌ NO → GAP: Implement a SIEM or equivalent tool to monitor logs.
Remediation:
Set up SIEM within 2 weeks.

Question 3: Do you have alerts configured for unusual activities?

✅ YES → Proceed to Q4
❌ NO → GAP: Configure alerts for failed logins, unauthorized access, and unusual patterns.
Remediation:
Configure alerts within 1 week.

Question 4: Are you conducting regular user account audits?

✅ YES → Proceed to Q5
❌ NO → GAP: Schedule quarterly audits of user accounts and permissions.
Remediation:
Conduct first audit within 1 month.

Question 5: Have you performed a penetration test in the last year?

✅ YES → Compliant
❌ NO → GAP: Schedule a penetration test to identify vulnerabilities.
Remediation:
Complete penetration test within 3 months.

⚠️ Common Mistakes (What Auditors Flag)

1. Incomplete logging coverage

Why this happens: Critical systems or devices are overlooked.
How to avoid: Conduct a thorough inventory of all systems and ensure logging is enabled on each.

2. Lack of centralized logging

Why this happens: Logs are scattered across different systems.
How to avoid: Implement a SIEM to centralize and analyze logs from all sources.

3. Inadequate alert configuration

Why this happens: Alerts are not configured for all critical events.
How to avoid: Review and configure alerts for all potential unauthorized activities.

4. Infrequent user account audits

Why this happens: Audits are not performed regularly.
How to avoid: Schedule and conduct user account audits at least quarterly.

5. No penetration testing

Why this happens: Penetration testing is seen as a low priority.
How to avoid: Include penetration testing in the annual security plan.

📚 Parent Policy

This practice is governed by the System and Information Integrity Policy

View SI Policy →

📚 Related Controls

SI.L2-3.14.1 SI.L2-3.14.2 SI.L2-3.14.3 SI.L2-3.14.4 SI.L2-3.14.5
Previous
SI.L2-3.14.6
Back to SI
Last Practice