CMMC Practice SI.2.217: Identify unauthorized use of organizational systems.
Organizations should define authorized use of their systems. First, have an acceptable-use policy for your system. This policy establishes the baseline for how users access devices and the internet. You define authorized use by specific roles within the organization. Examples of these roles include user, administrator, and technician. After you define authorized use, identify unauthorized use of systems.
Organizations can monitor systems by observing audit activities. You can do this in real time or by other manual means, such as access patterns. To identify unauthorized use, leverage existing tools and techniques, such as:
- intrusion detection systems;
- intrusion prevention systems;
- malicious code protection software;
- scanning tools;
- audit record monitoring software; and
- network monitoring software.