AC-2(12): Account Monitoring for Atypical Usage

Control Family:

Access Control

CSF v1.1 References:


  • High

Previous Version:

Control Statement

  1. Monitor system accounts for [Assignment: organization-defined atypical usage]; and
  2. Report atypical usage of system accounts to [Assignment: organization-defined personnel or roles].

Supplemental Guidance

Atypical usage includes accessing systems at certain times of the day or from locations that are not consistent with the normal usage patterns of individuals. Monitoring for atypical usage may reveal rogue behavior by individuals or an attack in progress. Account monitoring may inadvertently create privacy risks since data collected to identify atypical usage may reveal previously unknown information about the behavior of individuals. Organizations assess and document privacy risks from monitoring accounts for atypical usage in their privacy impact assessment and make determinations that are in alignment with their privacy program plan.