ISO/IEC 27001 Controls

and Netwrix Auditor Mapping

www.netwrix.com | Toll-free: 888-638-9749

About ISO/IEC 27001
ISO/IEC 27001 is an international standard that provides requirements for establishing, implementing, maintaining and
continuously improving an Information Security Management System (ISMS). The design and implementation of an
organization's ISMS is influenced by the organization's needs and objectives, security requirements, the organizational
processes used and the size and structure of the organization.

ISO/IEC 27001:2005 was the first edition of the standard. This edition was technically revised in 2013 and replaced by the
current version of the standard, ISO/IEC 27001:2013.

ISO/IEC 27001:2013 has 14 security control sections collectively containing a total of 35 main security categories and 114
controls.

2
Mapping of the provisions of the ISO/IEC 27001 information
security controls to Control Processes
The following table lists some of the key controls of the ISO/IEC 27001 and explains how Netwrix Auditor can help your
organization implement those controls and achieve compliance with ISO/IEC 27001. Please note that the efforts and
procedures required to comply with ISO/IEC 27001 requirements may vary depending on an organization’s systems
configuration, internal procedures, nature of business and other factors. Implementation of the procedures described
below will not guarantee ISO/IEC 27001 compliance, and not all the controls that Netwrix Auditor can possibly support are
included. This mapping should be used as a reference guide to help you implement policies and procedures tailored to your
organization’s unique situation and needs.

A.6 Organization of information security

Control Description Control Process

A.6.2.1 Mobile device policy Access Control

A policy and supporting security measures shall be  Remote Access
adopted to manage the risks introduced by using  Wireless Access
mobile devices.

A.6.2.2 Teleworking Access Control

A policy and supporting security measures shall be  Remote Access
implemented to protect information accessed,
processed or stored at teleworking sites.

A.8 Asset management

Control Description Control Process

A.8.2.1 Classification of information Risk Assessment

Information shall be classified in terms of legal  Security Categorization
requirements, value, criticality and sensitivity to
unauthorized disclosure or modification.

A.9 Access control

Control Description Control Process

A.9.1.2 Access to networks and network services Access Control

Users shall only be provided with access to the  Access Enforcement
network and network services that they have been
specifically authorized to use.

3
A.9.2.1 User registration and de-registration Identification and Authentication
A formal user registration and de-registration process  User Identification
shall be implemented to enable assignment of access  Identifier Management
rights.  Authenticator Management

Access Control
 Account Management Audit
 Account Usage Monitoring

A.9.2.2 User access provisioning Access Control

A formal user access provisioning process shall be  Account Management Audit
implemented to assign or revoke access rights for all  Account Usage Monitoring
user types to all systems and services.

A.9.2.3 Management of privileged access rights Access Control

The allocation and use of privileged access rights shall  Role and Group Assignment
be restricted and controlled.
Configuration Management
 Configuration Change Control

A.9.2.4 Management of secret authentication Identification and Authentication

information of users  Authenticator Management
The allocation of secret authentication information
Access Control
shall be controlled through a formal management
 Account Usage Monitoring
process.

A.9.2.5 Review of user access rights Access Control

Asset owners shall review users’ access rights at  Role and Group Assignment
regular intervals.  Least Privilege

A.9.2.6 Removal or adjustment of access rights Access Control

The access rights of all employees and external party  Inactive Accounts
users to information and information processing  Personnel Status Changes
facilities shall be removed upon termination of their
employment, contract or agreement, or adjusted
upon change.

A.9.3.1 Use of secret authentication information Identification and Authentication

Users shall be required to follow the organization’s  Authenticator Management
practices in the use of secret authentication
Access Control
information.
 Account Usage Monitoring

A.9.4.2 Secure log-on procedures Access Control

Where required by the access control policy, access to  Account Usage Monitoring
systems and applications shall be controlled by a
secure log-on procedure.

4
 A.9.4.3 Password management system Identification and Authentication
Password management systems shall be interactive  Authenticator Management
and shall ensure quality passwords. Access Control
 Account Usage Monitoring

A.9.4.5 Access control to program source code Configuration Management

Access to program source code shall be restricted.  Configuration Change Control

A.12 Operations security

Control Description Control Process

A.12.1.2 Change management Configuration Management

Changes to the organization, business processes,  Configuration Change Control
information processing facilities and systems that
affect information security shall be controlled.

A.12.4.1 Event logging Access Control

Event logs recording user activities, exceptions, faults  Account Management Audit
and information security events shall be produced,
Audit and Accountability
kept and regularly reviewed.
 Audit Record Generation
 Audit Record Retention
 Audit Trial Review
 Session Audit

A.12.4.2 Protection of log information Audit and Accountability

Logging facilities and log information shall be  Protection of Audit Information
protected against tampering and unauthorized
access.

A.12.4.3 Administrator and operator logs Audit and Accountability

System administrator and system operator activities  Audit Record Generation
shall be logged and the logs protected and regularly  Audit Trail Review
reviewed.  Protection of Audit Information
 Session Audit

A.12.5.1 Installation of software on operational Configuration Management

systems  Configuration Change Control
Procedures shall be implemented to control the
installation of software on operational systems.

5
A.13 Communications security

Control Description Control Process

A.13.1.1 Network controls Access Control

Networks shall be managed and controlled to protect  Remote Access
information in systems and applications.  Wireless Access

A.13.2.1 Information transfer policies and Access Control

procedures  Remote Access
Formal transfer policies, procedures and controls  Wireless Access
shall be in place to protect the transfer of information  Use of External Information Systems
through the use of all types of communication
facilities.

A.14 System acquisition, development and maintenance

Control Description Control Process

A.14.2.2 System change control procedures Configuration Management

Changes to systems within the development lifecycle  Configuration Change Control
shall be controlled by the use of formal change control
procedures.

A.14.2.4 Restrictions on changes to software Configuration Management

packages  Configuration Change Control
Modifications to software packages shall be
discouraged, limited to necessary changes and all
changes shall be strictly controlled.

A.16 Information security incident management

Control Description Control Process

A.16.1.2 Reporting information security events Audit and Accountability

Information security events shall be reported through  Audit Trail Review
appropriate management channels as quickly as
possible.

A.16.1.4 Assessment of and decision on Audit and Accountability

information security events  Audit Trail Review
Information security events shall be assessed and it
Incident Response
shall be decided if they are to be classified as
 Incident Detection
information security incidents.

6
 A.16.1.5 Response to information security Incident Response
incidents  Incident Analysis
Information security incidents shall be responded to  Incident Mitigation
in accordance with the documented procedures.

A.16.1.7 Collection of evidence Audit and Accountability

The organization shall define and apply procedures  Audit Record Retention
for the identification, collection, acquisition and
preservation of information, which can serve as
evidence.

A.18 Compliance

Control Description Control Process

A.18.1.3 Protection of records Audit and Accountability

Records shall be protected from loss, destruction,  Protection of Audit Information
falsification, unauthorized access and unauthorized
release, in accordance with legislatory, regulatory,
contractual and business requirements.

A.18.1.4 Privacy and protection of personally System and Information Integrity

identifiable information  Information Management and Retention
Privacy and protection of personally identifiable  Data Sanitization
information shall be ensured as required in relevant
legislation and regulation where applicable.

7
Control Processes
Control Processes Facilitated by Netwrix Auditor
From the compliance perspective, IT operations can be viewed and managed as a collection of control processes. Such
processes allow focusing organizational efforts on a specific area of IT, enforcing certain policies, and establishing particular
set of compliance controls. While control processes can be seen as separate entities for the purposes of implementation
and management simplicity, in fact all these processes are deeply interconnected and often intrinsic to many regulations
and best practices frameworks.

 Identification and Authentication

 Access Control
 Audit and Accountability
 Configuration Management
 Incident Response
 Risk Assessment
 System and Information Integrity

Identification and Authentication

The objective of the identification and authentication controls is to ensure that all users and devices accessing information
systems are uniquely identifiable and their authenticity is verified before the system grants access. Identification and
authentication are crucial for ensuring accountability of individual activity in the organizational information systems.

User Identification
Audit the identification and authentication processes for users who access your information systems.

How to Implement Control Applicable Netwrix Auditor Features

Cross-reference HR data with Active Directory user Active Directory State-in-Time reports
accounts in order to:  User Accounts
 Ensure that each user with a business need to
access your information systems has a unique
account.
 Identify personal accounts that cannot be traced
to a particular individual.

Review audit trails to check whether the use of shared User Behavior and Blind Spot Analysis reports
accounts complies with your policies.  Logons by Single User from Multiple
Endpoints
Interactive Search
 Who = shared account

8
 Correlate employee absence data (typically from HR) with Active Directory – Logon Activity reports
the access audit trail to spot suspicious activity.  All Logon Activity
Interactive Search
 Action = Interactive Logon

Device Identification
Audit the identification and authentication processes for devices used to access your information systems.

How to Implement Control Applicable Netwrix Auditor Features

Crosscheck the IT inventory against the list of computer Active Directory — State-in-Time reports
accounts in Active Directory.  Computer Accounts

Review all computer domain joins and all account Active Directory Changes reports
creations, modifications and deletions to spot any  Computer Account Changes
unauthorized changes to computer accounts. Interactive Search
 Object Type = Computer

Audit dynamic address allocation to devices by monitoring Interactive Search

the DHCP server for:  Object Type = DHCP Scope
 DHCP scopes
 Lease parameters and assignments

Audit remote network connections to identify Netwrix Auditor Add-on for RADIUS Server
unauthorized remote devices. Active Directory - Logon Activity reports

Identifier Management
Audit provisioning, modification and de-provisioning of users and groups.

How to Implement Control Applicable Netwrix Auditor Features

Review the creation, modification and deletion of users Active Directory Changes reports
and groups to spot:  User Account Changes
 Unauthorized changes Active Directory Changes reports
 Identifiers that do not comply with the your  Security Group Changes
naming standards and policies (e.g., no public, Interactive Search
generic or reused identifiers)  Object Type = Group | User

Configure alerts to notify designated personnel about Custom alerts for user account modifications
unauthorized account changes.

9
Authenticator Management
Review changes to password policy requirements, and audit user and admin activity for policy compliance.

How to Implement Control Applicable Netwrix Auditor Features

Audit changes to account policy settings to spot Active Directory – Group Policy Changes reports
inappropriate or unauthorized modifications. Settings to  Account Policy Changes
check include:  Password Policy Changes
 Account lockout threshold, duration and status  GPO Link Changes
reset Active Directory Group Policy State-in-Time reports
 Max/min password age  Account Policies
 Enforce password history
 Enforce strong passwords
 Irreversible password encryption

Alert designated personnel about Group Policy changes Predefined Alerts

related to account passwords.  Password Tampered alert

Audit administrative password resets to spot Active Directory Changes reports

unauthorized or suspicious changes.  Password Resets by Administrator

Correlate new user account creation with account Active Directory Changes reports
password resets to ensure that users change their initial  User Account Changes (added)
password on first logon.  User Password Changes
Interactive Search
 Details Contains ‘Password Reset’

Ensure that accounts with credentials reported lost or Active Directory Changes reports
compromised are promptly reset or disabled according to  User Account Status Changes
policy.  Password Resets by Administrator

10
Access Control
The goal of access control measures is to ensure that information system accounts are properly managed and that access
is granted based on the principle of least privilege. Netwrix Auditor supports access control by enabling full visibility into
account provisioning and deprovisioning, permissions management, and user activity.

Account Management Audit

Audit the creation, modification, enabling, disabling and removal of user accounts.

How to Implement Control Applicable Netwrix Auditor Features

Review changes to user accounts on key information Active Directory Changes reports
systems to spot deviations from your account  User Account Changes
management policies and procedures.  User Account Status Changes
 Recently Enabled Accounts
 Temporary User Accounts
Azure AD reports
 User Account Management in Azure AD
Oracle Database reports
 Account Management
Windows Server Changes reports
 Local Users and Groups Changes

Alert designated security personnel whenever a sensitive Predefined alerts

account is changed.  Account Enabled
 Account Disabled
 Account Deleted
 Security Changes on Windows Server

Account Usage Monitoring

Monitor user activity for abnormal or suspicious events.

How to Implement Control Applicable Netwrix Auditor Features

Review user logons and resource access on a regular basis Activity Summary email notifications
to spot abnormal account use and violations of account use User Behavior and Blind Spot Analysis reports
policy.
 Temporary User Accounts
 Recently Enabled Accounts
 Access to Archive Data
 Data Access Surges
 Activity Outside Business Hours
 Failed Activity Trend

11
  Logons by Multiple Users from Single
Endpoint
 Logons by Single User from Multiple
Endpoints
 Non-owner Mailbox Access

Review user access to sensitive and regulated data to Data Discovery and Classification reports
detect access policy violations  Activity Related to Sensitive Files and Folders

Enable designated security personnel to respond promptly Predefined alerts

to potential access abuse.  Logon to a Specific Machine alert
 Logon Attempt to a Disabled Account alert
 Multiple Failed Logons alert
Interactive Search
 Who = suspicious account

Review audit trails to spot use of shared accounts that User Behavior and Blind Spot Analysis reports
violates your policies.  Logons by Single User from Multiple
Endpoints
Interactive Search
 Who = shared account

Inactive Accounts
Disable unused accounts after a defined period of inactivity.

How to Implement Control Applicable Netwrix Auditor Features

Identify dormant or orphaned user and computer accounts Inactive User Tracker tool, which can identify unused
and handle them appropriately according to policy. accounts and automatically:
 Notify the manager
 Disable the account
 Change the password
 Move the account to a specified OU
 Remove the account
Active Directory State-in-Time reports
 User Accounts – Last Logon Time

12
Role and Group Assignment
Review group and role assignments to ensure that user accounts meet established membership conditions and the
principle of least privilege.

How to Implement Control Applicable Netwrix Auditor Features

Ensure that users are added security groups and access Active Directory Changes reports
roles in accordance with the least privilege principle and  Security Group Membership Changes
only with proper authorization. Azure AD reports
 Group Membership Changes in Azure AD
Active Directory State-in-Time reports
 Group Members
 Effective Group Membership
Windows Server State-in-Time reports
 Local Users and Groups

Monitor privileged group and role assignments to prevent Active Directory Changes reports
unauthorized privilege escalation, and regularly review the  Administrative Group Membership Changes
membership of these groups and roles to validate the need User Behavior and Blind Spot Analysis reports
for privileged access.  Temporary Users in Privileged Groups
Windows Server Changes reports
 Local Users and Groups Changes
Active Directory State-in-Time reports
 Administrative Group Members
Windows Server State-in-Time reports
 Members of Local Administrators Group
Oracle Database reports
 Privilege Management
SQL Server reports
 All SQL Server Activity by Object Type (Object
Type = Server Role | Database Role
|Application Role)
Predefined alerts
 Group Membership Changes

13
Personnel Status Changes
Ensure proper handling of the accounts and access permissions of temporary, transferred or terminated employees.

How to Implement Control Applicable Netwrix Auditor Features

Review audit trails to confirm that the user accounts of Active Directory Changes reports
temporary and terminated employees are disabled or  User Account Changes
removed in all information systems and applications  User Account Status Changes
according to your policy.

Review current access permissions of transferred or Active Directory Changes reports

reassigned employees with particular attention on  User Account Changes
sensitive and regulated data to ensure they do not exceed Active Directory State in Time reports
their new job requirements.  Users and Computers - Effective Group
Membership
Data Discovery and Classification reports
 Sensitive File and Folder Permissions Details

Access Enforcement
Ensure user permissions comply with your access control policies.

How to Implement Control Applicable Netwrix Auditor Features

Review access permissions for sensitive information assets User Behavior and Blind Spot Analysis
on a regular basis to identify and rectify the following:  Data Access
 Excessive permissions  Excessive Permissions
 Permissions assigned directly, rather than File Servers State-in-Time reports
through roles and groups  Folder and File Permission Details
 Broken permission inheritance  Folder Permissions
Data Discovery and Classification reports
 Sensitive Files and Folders by Owner
 Sensitive File and Folder Permissions Details

Audit and alert on changes to permissions in order to Predefined alerts

promptly spot any improper or authorized modifications.  File Share Permissions Changed
 Object Permissions Changed in Active
Directory
 Security Changes on Windows Server
Activity Summary email notifications

14
Least Privilege
Maintain user access permissions based on the principle of least privilege.

How to Implement Control Applicable Netwrix Auditor Features

Regularly review access rights granted to users and roles to User Behavior and Blind Spot Analysis reports
ensure users have only the permissions they need to do  Excessive Permissions
their jobs. Active Directory Changes reports
 Object Security Changes
 Security Group Changes
Active Directory State-in-Time reports
 Account Permissions in Active Directory
 Object Permissions in Active Directory
 Users and Computers - Effective Group
Membership
Group Policy Changes reports
 User Rights Assignment Policy Changes
 Security Settings Changes
Exchange Server reports
 Mailbox Delegation and Permissions Changes
File Servers Activity reports
 Permissions Changes
File Servers State-in-Time reports
 Account Permissions
 Excessive Access Permissions
 Folder and File Permission Details
 Folder Permissions
Windows Server Changes reports
 File Share Changes

Ensure that privileged accounts are restricted to the Predefined alerts

specific users and roles who need access to security-related  User Added to AD Administrative Group
functions on the information systems.  User Added to Windows Server Administrative
Group

Ensure that privileged administrative accounts are used Interactive Search

exclusively for performing security-related tasks.  Who = privileged account
Windows Server User Activity reports
 User activity video recording (available even
for systems and applications that do not
produce logs)

15
Remote Access
Monitor remote access connections to ensure they conform to organizational secure access policies.

How to Implement Control Applicable Netwrix Auditor Features

Review detailed remote access logon events along with AD Interactive Search
logon activity.  (Object Type = RADIUS Logon)
Active Directory - Logon Activity reports

Netwrix Auditor Add-on for RADIUS Server

Monitor changes to security groups used for remote access Active Directory Changes reports
authorization.  Security Group Membership Changes
Interactive Search
 Object Type = Group AND What CONTAINS
GroupID
Predefined alerts
 Group Membership Changes

Wireless Access
Monitor wireless network connections for conformance with your wireless networking policies.

How to Implement Control Applicable Netwrix Auditor Features

Monitor wireless connections to your networks. Netwrix Auditor Add-on for Cisco Network Devices

Monitor your wireless networking policies for unauthorized Active Directory – Group Policy Changes reports
or inappropriate changes.  Wireless Network Policy Changes

Use of External Information Systems

Control the use of external information systems, including cloud-based services.

How to Implement Control Applicable Netwrix Auditor Features

Audit user activity in SharePoint Online, Exchange Online Office 365 Overview Dashboards
and OneDrive for Business in order to discover and prevent SharePoint Online reports
violations of your information handling policies, such as the  All SharePoint Online Activity by User
storing of sensitive data outside of your control  Content Management
boundaries.  Data Access
 Sharing and Security Changes
User Behavior and Blind Spot Analysis reports
 Information Disclosure
 Suspicious Files

16
Audit and Accountability
Audit and accountability measures are intended to maintain a trail of activity in information systems that ensures individuals
can be held accountable for their actions. Netwrix Auditor directly implements many of the audit and accountability
requirements by capturing a complete audit trail and securely storing it for more than 10 years, enabling easy access to
audit information for investigations and compliance reviews, and enabling video recording of user activity in systems that
do not produce audit events.

Audit Record Generation

Generate audit records containing information that establishes what type of event occurred, when and where it occurred,
the source of the event, the outcome of the event, and the identity of any individuals associated with the event.

How to Implement Control Applicable Netwrix Auditor Features

Collect detailed records (including Who, What, When, A complete audit trail from across all IT systems and
Where and Where details) of events in your information applications
systems and applications. Data-in API, which enables creation of add-ons for
integrating Netwrix Auditor with other systems and
applications

Adjust the data collection settings to ensure the audit trail Review reports and Interactive Search results and
contains all required details. fine-tune monitoring plans as needed

Audit Record Retention

Retain audit records for the time period required by your record retention policy or by compliance regulations.

How to Implement Control Applicable Netwrix Auditor Features

Store your audit data in a way that ensures easy access for AuditArchive™, a two-tiered storage that provides:
incident investigations while meeting long-term retention  SQL Server audit database for operational
requirements specified by your policies or regulatory reporting (data is stored for 180 days by
mandates. default)
 Separate file-based archive for long-term
storage of audit data (data is stored for 10
years by default)

17
Audit Trail Review
Regularly review audit records for indications of inappropriate or unusual activity and report findings to appropriate
personnel, such as your incident response team or InfoSec group.

How to Implement Control Applicable Netwrix Auditor Features

Regularly review a consolidated audit trail across your Predefined change and activity reports
critical information systems. Activity Summary email notifications

Interactive Search

Export reports for evidence when reporting inappropriate Export of reports to a variety of formats, including
or unusual activity to responsible security staff. PDF and Microsoft Excel

Configure alerts to automatically trigger incidents in your IT Netwrix Auditor Add-On for ServiceNow Incident
service support management (ITSSM) solution. Management (ticket creation)

Add audit records from other key systems and applications Netwrix Auditor Add-On for Cisco Network Devices
to your system-wide, time-correlated audit trail.
Netwrix Auditor Add-On for Linux Systems

Netwrix Auditor Add-On for Privileged User

Monitoring on Linux and Unix Systems
Netwrix Auditor Add-On for RADIUS Server

Data-in API, which enables creation of add-ons for

integrating Netwrix Auditor with other systems and
applications

Report Generation and Audit Reduction

Provide summary reports to support on-demand audit review, analysis and reporting requirements and incident
investigations without altering the original audit logs.

How to Implement Control Applicable Netwrix Auditor Features

Aggregate audit records from multiple information Enterprise Overview Dashboards, Overview
systems. Diagrams, Organization Level reports, predefined
change and activity reports
Activity Summary email notifications

Generate custom reports on events of interest across all Reports based on Interactive search results
monitored systems.

18
Protection of Audit Information
Protect audit information and audit tools from unauthorized access, modification and deletion.

How to Implement Control Applicable Netwrix Auditor Features

Protect audit information by storing it in a physically AuditArchive™, a two-tiered storage that provides:
separate repository.  SQL Server audit database for operational
reporting
 Separate file-based archive for long-term
storage of audit data

Restrict access to audit records and tools by assigning Role delegation for audit configuration and review,
security personnel to operational roles using the least both on the global level and on the individual
privilege principle monitoring plan level

Monitor changes to your audit configuration settings to Group Policy Changes reports
spot modification that could reduce the level of audit,  Audit Policy Changes
either intentionally or by accident. Windows Server Changes reports
 Audit Log Clearing report
 Local Audit Policy Changes report

Session Audit
Capture user activity for audit purposes.

How to Implement Control Applicable Netwrix Auditor Features

Record user activity in mission-critical systems. Windows Server User Activity reports
 User activity video recording (available even
for systems and applications that do not
produce logs)

Response to Audit Processing Failures

Monitor for audit processing failures and take corrective actions to restore normal audit capturing process.

How to Implement Control Applicable Netwrix Auditor Features

Monitor the status of audit data collection across Health Status dashboard
managed systems and audit storage capacity on a regular
basis Health Summary report

Alert designated personnel about audit failures. Event Log Manager

 System health alerts

19
Configuration Management
Configuration management is required to ensure that the configuration of information systems complies with internal
policies and external regulations, and that all changes are both proper and authorized.

Baseline Configuration
Establish and maintain baseline configurations and inventories of organizational information systems.

How to Implement Control Applicable Netwrix Auditor Features

Review the configuration of your Windows servers and Windows Server State-in-Time reports
identify deviations from the established baseline.  Windows Server Inventory
 Windows Server Configuration Details
 Members of Local Administrators Group

Configuration Change Control

Audit changes to the configuration of your information systems.

How to Implement Control Applicable Netwrix Auditor Features

Review changes to the server and network infrastructure Windows Server Changes reports
to ensure that only authorized changes are being  Windows Server Changes
implemented in accordance with you change Active Directory – Group Policy Changes
management procedures. VMware reports
 All VMware change
SharePoint reports
 SharePoint Configuration Changes
Exchange reports
 Database Changes
 New Exchange Servers
Interactive Search
 Source = Windows Server
 Source = Policy
 Source = Netwrix API

Identify inappropriate or unapproved changes (e.g., Windows Server Changes reports

installation of non-approved software).  Windows Server Changes with Review Status

Alert designated security personnel to critical change Custom alerts on specific configuration changes
events to enable timely response.

20
Access Restrictions for Changes
Establish and enforce logical access restrictions associated with changes to the information system.

How to Implement Control Applicable Netwrix Auditor Features

Ensure that information system configuration is limited to Windows Server State-in-Time reports
authorized users by reviewing privileged security groups  Members of Local Administrator Group
and monitoring changes to their membership.  Local Users and Groups
Windows Server Changes reports
 Local Users and Groups Changes
Predefined alerts
 User Added to Windows Server
Administrative Group

User-Installed Software
Control and monitor user-installed software.

How to Implement Control Applicable Netwrix Auditor Features

Exercise security control over programs and applications Windows Server State-in-Time reports
on your critical Windows Servers by maintaining an  Windows Server Configuration Details
inventory of resident software and ensuring that only  Installed Software
permitted software is installed.

21
Incident Response
Incident response controls prescribe careful planning of response measures to security incidents on the organizational
level, along with proper training of personnel and regular testing of the plan. The plan should cover incident detection,
analysis, containment and recovery. Netwrix Auditor capabilities relating to incident response revolve around the detection
(including automated response triggering through the ServiceNow integration) and analysis aspects of security incident
handling.

Incident Detection
Detect security incidents in a timely manner.

How to Implement Control Applicable Netwrix Auditor Features

Regularly review user activity (system logons, resource Behavior Anomalies Discovery
access, configuration changes) across information systems  Top users with behavior anomalies
to spot abnormal behavior that could lead to a security  Detailed trail of user anomalous behavior
breach. User Behavior and Blind Spot Analysis reports
 Temporary User Accounts
 Recently Enabled Accounts
 Access to Archive Data
 Data Access Surges
 Activity Outside Business Hours
 Failed Activity Trend
 Logons by Multiple Users from Single
Endpoint
Data Discovery and Classification reports
 Activity Related to Sensitive Files and Folders

Configure alerts to automatically notify designated Predefined alerts

security staff of a potential incident, based on either a  User Account Locked Out
triggering event or a defined threshold.  User Added to AD Administrative Group
 User Added to Windows Server
Administrative Group
 Unrestricted Access to the File Share
Custom alerts based on either a triggering event or a
defined threshold

22
Incident Analysis
Investigate anomalous activity and events that are detected.

How to Implement Control Applicable Netwrix Auditor Features

Perform forensic analysis of each potential security Interactive Search

incident to understand its full scope and impact on  Who and Where filters
information systems and protected data, and determine Windows Server User Activity reports
appropriate response measures including reporting of the  Replay of user activity video recordings
incidents within the organization and to authorities and Behavior Anomalies Discovery
affected parties.  Detailed trail of user anomalous behavior
Data Discovery and Classification reports
 Activity Related to Sensitive Files and Folders

Adjust alerts settings or create new alerts based on Custom alerts based on Interactive Search
findings from the security incident analysis.

Incident Mitigation
Respond quickly to a security incident to mitigate its effects.

How to Implement Control Applicable Netwrix Auditor Features

Automate the triggering of incident response procedures Netwrix Auditor Add-On for ServiceNow Incident
upon detection of suspicious activity to ensure timely Management
response and remediation.

Quickly revert unauthorized changes to accounts and Predefined change reports

configuration.  Before and after details
Object Restore for Active Directory tool

23
Risk Assessment
Every organization needs to conduct information system risk assessments to understand the likelihood and magnitude of
harm from various threats so they can prioritize them and mitigate risk to an acceptable level. Netwrix Auditor reports on
configuration risk factors common in Microsoft-centric IT infrastructures and estimates their impact in your environment.

Risk Assessment
Regularly assess risks to your information systems and act on the findings.

How to Implement Control Applicable Netwrix Auditor Features

Examine the configuration of your information systems IT Risk Assessment reports

using common security best practices and identify risks  IT Risk Assessment: Users and Computers
that may require mitigation in the following areas:  IT Risk Assessment: Data
 IT Risk Assessment: Permissions
 Account management
 Data governance
 Security permissions

Review the results of data discovery and classification to Data Discovery and Classification reports
assess the risks posed by sensitive data not being stored  Overexposed Files and Folders
and processed according to the established data security  Most Accessible Sensitive Files and Folders
policy.  Sensitive Files Count by Source
 File and Folder Categories by Object

Security Categorization
Conduct the security categorization process for the data hosted by the organization.

How to Implement Control Applicable Netwrix Auditor Features

Perform automated discovery of relevant types of DDC Collector Console that enables you to adjust
sensitive and regulated data in unstructured data predefined data categorization rules or define new
repositories (file shares) in order to prioritize data rules
protection measures.

24
System and Information Integrity
System and information integrity measures aim to protect information systems and the data they store and process from
being compromised by outsider attackers and malicious insiders. Netwrix Auditor reports and alerts on user behavior
indicative of an attack or unauthorized use of information systems.

Information System Monitoring

Monitor your information systems for indicators of potential attacks and unauthorized activity.

How to Implement Control Applicable Netwrix Auditor Features

Spot and investigate anomalies in user behavior in time to Behavior Anomalies Discovery
block external attackers who have compromised valid  List of users with the most behavior
user accounts, as well as trusted insiders who have gone anomalies
rogue.  Detailed trail of each user’s anomalous
actions

Configure alerts to automatically notify designated Predefined alerts

security staff of a potential attack or unauthorized activity.  User Account Locked Out
 User Added to AD Administrative Group
 User Added to Windows Server
Administrative Group
 Unrestricted Access to the File Share
Custom alerts based on either a triggering event or a
defined threshold

25
Information Management and Retention
Manage and retain sensitive personal information in accordance with applicable laws, regulations and operational
requirements.

How to Implement Control Applicable Netwrix Auditor Features

Ensure that personally identifiable and other sensitive Data Discovery and Classification reports
information in the organizational data repositories is  Overexposed Files and Folders
appropriately secured, including protection against  Most Accessible Sensitive Files and Folders
unauthorized disclosure or accidental loss  Sensitive File and Folder Permissions Details

Monitor for personally identifiable and other sensitive Data Discovery and Classification reports
information in the organizational data repositories, which  Sensitive Files Count by Source
exceeds its legitimate retention time.  File and Folder Categories by Object

Establish processes and procedures to support customers DDC Collector Console that enables you to locate
wishing to exercise their data subject rights: personal data instances

 Right of access
 Right to rectification
 Right to erasure (right to be forgotten)
 Right to portability

Data Sanitization
Perform data sanitization on sensitive information outside of authorized storage boundaries.

How to Implement Control Applicable Netwrix Auditor Features

Monitor file and document repositories for sensitive Data Discovery and Classification reports
information in order to apply appropriate de-identification,  Sensitive Files Count by Source
redaction or similar measures to mitigate the risk of  File and Folder Categories by Object
unauthorized data access.

26
About Netwrix
Netwrix Corporation is a software company focused exclusively on providing IT security and operations teams with
pervasive visibility into user behavior, system configurations and data sensitivity across hybrid IT infrastructures to protect
data regardless of its location. Over 9,000 organizations worldwide rely on Netwrix to detect and proactively mitigate data
security threats, pass compliance audits with less effort and expense, and increase the productivity of their IT teams.

Founded in 2006, Netwrix has earned more than 140 industry awards and been named to both the Inc. 5000 and Deloitte
Technology Fast 500 lists of the fastest growing companies in the U.S.

Netwrix Auditor is a visibility platform for user behavior analysis and risk mitigation that enables control over changes,
configurations and access in hybrid IT environments to protect data regardless of its location. The platform provides security
intelligence to identify security holes, detect anomalies in user behavior and investigate threat patterns in time to prevent
real damage.

Netwrix Auditor includes applications for Active Directory, Azure AD, Exchange, Office 365, Windows file servers, EMC
storage devices, NetApp filer appliances, SharePoint, Oracle Database, SQL Server, VMware and Windows Server.
Empowered with a RESTful API and user activity video recording, the platform delivers visibility and control across all of your
on-premises or cloud-based IT systems in a unified way.

For more information, visit www.netwrix.com

If you want to evaluate Netwrix Auditor in your environment, choose one of the deployment options below. To see Netwrix
Auditor in action without having to download and install it, visit netwrix.com/testdrive.

On-Premises Deployment Virtual Appliance Cloud Deployment

Download a Download our Deploy Netwrix Auditor

Free 20-day trial virtual machine image in the сloud

netwrix.com/go/freetrial netwrix.com/go/appliance netwrix.com/go/cloud

Corporate Headquarters:
300 Spectrum Center Drive, Suite 200, Irvine, CA 92618
Phone: 1-949-407-5125 Toll-free: 888-638-9749 EMEA: +44 (0) 203-588-3023 netwrix.com/social

27