GRC Store

Search / finos-ccc/ccc.monitor.cn / v2026.06-rc3

Release · v2026.06-rc3

FINOS-CCC/CCC.Monitor.CN Control Catalog

FINOS-CCC/CCC.Monitor.CN

Controls for Monitoring technologies, as defined by the FINOS Common Cloud Controls project.

Published by FINOS Common Cloud Controls

Install

OCI v1.1
$grcli unpack --repository finos-ccc/ccc.monitor.cn --tag v2026.06-rc3
Coordinate
oci.grc.store/finos-ccc/ccc.monitor.cn:v2026.06-rc3
Manifest digest
sha256:6ea4d51be3e9854a4704d624e37685575f1a18058956cf23bb1a2e02f65c49fa

Provenance

1 layer
Digest Media type Size
597fb6cae477… application/vnd.gemara.artifact.v1+yaml 8.7 KiB
Bundle config blob 
{
  "bundle-version": "1.0",
  "gemara-version": "v1.2.0",
  "metadata": {
    "provenance": {
      "buildDefinition": {
        "buildType": "https://grc.store/grcli/buildtype/v0",
        "externalParameters": {
          "artifact": {
            "id": "CCC.Monitor.CN",
            "type": "ControlCatalog"
          },
          "target": {
            "registry": "oci.grc.store",
            "repository": "finos-ccc/ccc.monitor.cn",
            "tag": "v2026.06-rc3"
          }
        },
        "internalParameters": {
          "CI": "true",
          "GITHUB_ACTIONS": "true",
          "GITHUB_ACTOR": "eddie-knight",
          "GITHUB_REF": "refs/heads/main",
          "GITHUB_REPOSITORY": "eddie-knight/common-cloud-controls",
          "GITHUB_RUN_ATTEMPT": "2",
          "GITHUB_RUN_ID": "26768391088",
          "GITHUB_SHA": "24594e28430c12318cacffe7fdda6a3ea272d975",
          "GITHUB_WORKFLOW": "Batch Release All Catalogs",
          "RUNNER_OS": "Linux"
        },
        "resolvedDependencies": [
          {
            "name": "artifacts/management/monitoring/controls.yaml",
            "uri": "file://artifacts/management/monitoring/controls.yaml",
            "digest": {
              "sha256": "597fb6cae477a2b67ee72d051a277774f2c4812a60988d97a074f3490e35b950"
            }
          },
          {
            "name": "source",
            "uri": "git+https://github.com/eddie-knight/common-cloud-controls@24594e28430c12318cacffe7fdda6a3ea272d975",
            "digest": {
              "gitCommit": "24594e28430c12318cacffe7fdda6a3ea272d975"
            }
          }
        ]
      },
      "runDetails": {
        "builder": {
          "id": "https://github.com/eddie-knight/common-cloud-controls/actions/runs/26768391088",
          "version": {
            "go": "go1.25.0",
            "go-arch": "amd64",
            "go-os": "linux",
            "grcli": "v0.2.2"
          }
        },
        "metadata": {
          "invocationId": "26768391088-2",
          "startedOn": "2026-06-01T16:45:10.593447383Z",
          "finishedOn": "2026-06-01T16:45:10.684827606Z"
        },
        "byproducts": [
          {
            "name": "controls.yaml",
            "digest": {
              "sha256": "597fb6cae477a2b67ee72d051a277774f2c4812a60988d97a074f3490e35b950"
            }
          }
        ]
      }
    }
  },
  "artifacts": [
    {
      "name": "controls.yaml",
      "type": "ControlCatalog",
      "id": "CCC.Monitor.CN",
      "role": "artifact"
    }
  ]
}

CCC Monitoring Controls

Controls for Monitoring technologies, as defined by the FINOS Common Cloud Controls project.

ID
CCC.Monitor.CN
Version
v2026.06-rc3
Gemara version
v1.2.0
Author
FINOS Common Cloud Controls

Observability

The Observability group covers entries related to logging, monitoring, metrics, alerting, and event publication. This includes audit trail integrity, enumeration detection, and protection against tampering or unauthorized access to operational telemetry.

  1. CCC.Monitor.CN01 Rate Limiting on External Monitoring

    Objective

    Prevent DoS attacks using External Monitoring tools.

    Assessment requirements

    1. When an External Monitoring system exceeds the anticipated rate of monitoring checks then Rate Limiting MUST be applied and an Audit Alert MUST be generated.

      Applicability: tlp-clear, tlp-green, tlp-amber, tlp-red

    Guidelines
    • NIST-CSF
      • PR.IR-01
      • DE.CM-01
    • NIST_800_53
      • SC-5
      • SC-7
    Threats
    • CCC.Monitor.Threats
      • CCC.Monitor.TH03

  2. CCC.Monitor.CN02 Rate Limiting on Metric Generation

    Objective

    Prevent Malicious Actor or misconfiguration from flooding services with metric data.

    Assessment requirements

    1. When an Custom or User-Defined Metric starts to flood a collector, then a rate limit MUST be applied to reduce the network impact of traffic and an alert must triggered.

      Applicability: tlp-clear, tlp-green, tlp-amber, tlp-red

    Guidelines
    • NIST-CSF
      • DE.CM-01
    • NIST_800_53
      • SC-5(2)
      • CA-7
      • SI-4
    Threats
    • CCC.Monitor.Threats
      • CCC.Monitor.TH06

Access Control

The Access Control group covers entries related to authentication, authorization, and trust perimeter enforcement. This includes multi-factor authentication, least privilege access, network access rules, and prevention of unauthorized access or reconnaissance.

  1. CCC.Monitor.CN03 Access External Monitoring

    Objective

    Control access to Synthetic monitoring solutions using API keys or Certificate based authentication to ensure they don't become an attack path, preventing monitoring systems from forging network requests to gain access to internal systems.

    Assessment requirements

    1. When external systems have approved access to internal systems not normally available for public access then they MUST be secured to prevent unauthorised access jumping through to the internal systems and only allow access to specific internal services.

      Applicability: tlp-clear, tlp-green, tlp-amber, tlp-red

    Guidelines
    • NIST-CSF
      • DE.CM-06
      • PR.IR-01
      • PR.AA-05
    • NIST_800_53
      • AC-3
    Threats
    • CCC.Monitor.Threats
      • CCC.Monitor.TH04

  2. CCC.Monitor.CN04 Restrict access to Monitoring Dashboards

    Objective

    Control access to Monitoring Dashboards and reports to ensure they don't highlight an attack path.

    Assessment requirements

    1. When monitoring dashboards display degraded services which may become potential targets then the dashboard MUST be protected from unauthorised access.

      Applicability: tlp-clear, tlp-green, tlp-amber, tlp-red

    Guidelines
    • NIST-CSF
      • DE.CM-09
      • DE.AE-03
    • NIST_800_53
      • SI-4
      • AC-3
    Threats
    • CCC.Monitor.Threats
      • CCC.Monitor.TH02

  3. CCC.Monitor.CN05 Restrict access to silence or acknowledge an alert

    Objective

    Ensure only a subset of users can silence or acknowledge alerts to prevent attackers hiding their activity.

    Assessment requirements

    1. When monitoring services have generated an alert, the service MUST ensure only authorised responders silence or acknowledge the alert.

      Applicability: tlp-clear, tlp-green, tlp-amber, tlp-red

    Guidelines
    • NIST-CSF
      • PR.IR-01
      • PR.AA-05
    • NIST_800_53
      • AC-3
    Threats
    • CCC.Core.Threats
      • CCC.Core.TH10

  4. CCC.Monitor.CN06 Metrics pushed for authorised services only

    Objective

    Use IAM to control which types of metrics or traces can be pushed by different system to avoid a compromised system pushing fabricated metrics about a different service

    Assessment requirements

    1. When systems push metrics or traces they MUST be authenticated for that particular type of metric or trace

      Applicability: tlp-clear, tlp-green, tlp-amber, tlp-red

    Guidelines
    • NIST-CSF
      • PR.AA-05
    • NIST_800_53
      • AC-5
    Threats
    • CCC.Monitor.Threats
      • CCC.Monitor.TH05