Skip to content

Evidence Catalog

This catalog defines acceptable evidence types for demonstrating compliance with Nexus SecOps benchmark controls. Use this catalog when conducting assessments to identify what artifacts can satisfy each evidence category.

Evidence Categories

Category Code Description
Configuration CFG Screenshots, exports, or documentation of tool/system configuration
Policy Document POL Approved written policies, standards, or procedures
Log Extract LOG Exported log samples demonstrating capability
Dashboard Screenshot DASH Screenshot of a live or recorded operational dashboard
Test Result TEST Output from a test, exercise, or validation run
Interview Record INT Notes from a structured interview with control owner
Architecture Diagram ARCH Technical diagram showing system relationships
Report RPT Periodic operational or management report
Runbook / Playbook RUN Documented procedure or automated playbook
Ticket / Work Record TKT Incident ticket, change request, or work item
Training Record TRN Course completion records, certifications, attendance logs
Contract / Agreement AGR SLA, NDA, vendor agreement, or data processing agreement

Evidence by Control Domain

TEL — Telemetry and Log Ingestion

Control Required Evidence Acceptable Types
Nexus SecOps-001 Log source inventory listing all defined sources CFG, POL
Nexus SecOps-002 SIEM/platform receipt confirmation with timestamps LOG, DASH
Nexus SecOps-003 TLS configuration export showing encryption in transit CFG, TEST
Nexus SecOps-004 Retention policy document + storage configuration POL, CFG
Nexus SecOps-005 Log integrity mechanism documentation (hashing/WORM) CFG, POL
Nexus SecOps-006 Agent deployment dashboard with coverage percentage DASH, CFG
Nexus SecOps-007 Log health monitoring alert configuration and sample alert CFG, LOG
Nexus SecOps-008 Cloud API connector configuration and ingestion sample CFG, LOG
Nexus SecOps-009 OT/ICS data diode or monitoring architecture diagram ARCH, CFG
Nexus SecOps-010 Endpoint log collection policy and deployment evidence POL, CFG
Nexus SecOps-011 Identity provider (IdP) log ingestion configuration CFG, LOG
Nexus SecOps-012 Email gateway log forwarding configuration CFG, LOG
Nexus SecOps-013 DNS logging configuration and sample query logs CFG, LOG
Nexus SecOps-014 Log source review process documentation + meeting notes POL, TKT
Nexus SecOps-015 Centralized collection architecture documentation ARCH, CFG

DQN — Data Quality and Normalization

Control Required Evidence Acceptable Types
Nexus SecOps-016 Field normalization mapping document CFG, POL
Nexus SecOps-017 Timestamp normalization configuration (UTC enforcement) CFG, TEST
Nexus SecOps-018 Asset enrichment pipeline configuration + sample output CFG, LOG
Nexus SecOps-019 IP enrichment configuration (geo, ASN, reputation) CFG, LOG
Nexus SecOps-020 User identity resolution configuration CFG, ARCH
Nexus SecOps-021 Data quality monitoring dashboard DASH, LOG
Nexus SecOps-022 Schema documentation for primary log types CFG, POL
Nexus SecOps-023 Duplicate detection configuration + test results CFG, TEST
Nexus SecOps-024 Log volume anomaly alert configuration CFG, LOG
Nexus SecOps-025 Parsing error rate dashboard DASH, LOG
Nexus SecOps-026 Threat intelligence enrichment pipeline documentation ARCH, CFG
Nexus SecOps-027 Data governance policy for security data POL
Nexus SecOps-028 Log source SLA monitoring report RPT, DASH
Nexus SecOps-029 Retention and purge automation configuration CFG, TEST
Nexus SecOps-030 Data classification taxonomy applied to log fields POL, CFG

DET — Detection Engineering

Control Required Evidence Acceptable Types
Nexus SecOps-031 MITRE ATT&CK coverage map/heatmap DASH, RPT
Nexus SecOps-032 Detection rule repository with version history CFG, TKT
Nexus SecOps-033 Detection change control process documentation POL, TKT
Nexus SecOps-034 Detection rule testing evidence (TP/TN test results) TEST
Nexus SecOps-035 False positive rate dashboard per rule DASH, LOG
Nexus SecOps-036 Detection review cadence schedule + meeting records POL, TKT
Nexus SecOps-037 MTTD measurement methodology and trend report RPT, DASH
Nexus SecOps-038 Sigma or SIEM-native rule export showing ATT&CK mapping CFG
Nexus SecOps-039 CI/CD pipeline for detection deployment CFG, ARCH
Nexus SecOps-040 Purple team exercise results with detection validation RPT, TEST
Nexus SecOps-041 Threat intelligence to detection workflow documentation POL, ARCH
Nexus SecOps-042 Detection rule retirement/archive process POL, TKT
Nexus SecOps-043 Detection coverage gaps analysis report RPT
Nexus SecOps-044 Behavioral analytics rule configuration CFG
Nexus SecOps-045 Detection rule documentation standard (template) POL
Nexus SecOps-046 Correlation rule logic for multi-event scenarios CFG, LOG
Nexus SecOps-047 Cloud-specific detection rules evidence CFG
Nexus SecOps-048 Identity-based detection rule coverage CFG
Nexus SecOps-049 Insider threat detection rule documentation CFG, POL
Nexus SecOps-050 AI/ML-based detection model documentation CFG, RPT

TRI — Triage and Investigation

Control Required Evidence Acceptable Types
Nexus SecOps-051 Alert priority matrix documentation POL
Nexus SecOps-052 SLA policy for alert response by severity POL
Nexus SecOps-053 Triage procedure/runbook RUN
Nexus SecOps-054 MTTI measurement and reporting DASH, RPT
Nexus SecOps-055 Enrichment automation configuration CFG, ARCH
Nexus SecOps-056 Escalation criteria and escalation matrix POL, RUN
Nexus SecOps-057 Alert queue dashboard with SLA compliance DASH
Nexus SecOps-058 Investigation documentation standard POL, TKT
Nexus SecOps-059 False positive feedback process POL, TKT
Nexus SecOps-060 External lookup tool integration (VirusTotal, etc.) CFG
Nexus SecOps-061 Analyst training curriculum and completion records TRN
Nexus SecOps-062 Triage quality review process POL, RPT
Nexus SecOps-063 Alert aging monitoring configuration DASH, CFG
Nexus SecOps-064 Cross-alert correlation capability evidence CFG, LOG
Nexus SecOps-065 Investigation pivot capability documentation CFG, ARCH

INC — Incident Response

Control Required Evidence Acceptable Types
Nexus SecOps-066 Incident response plan document POL
Nexus SecOps-067 Incident classification taxonomy POL
Nexus SecOps-068 Incident commander role definition POL
Nexus SecOps-069 Incident communication plan POL
Nexus SecOps-070 Containment playbooks by incident type RUN
Nexus SecOps-071 Evidence preservation procedure POL, RUN
Nexus SecOps-072 Post-incident review (PIR) records (last 3) TKT, RPT
Nexus SecOps-073 Regulatory notification process and timeline POL
Nexus SecOps-074 Incident ticketing system with severity tracking CFG, TKT
Nexus SecOps-075 MTTR measurement report RPT, DASH
Nexus SecOps-076 IR retainer agreement with external firm AGR
Nexus SecOps-077 Tabletop exercise records (last 12 months) RPT, TKT
Nexus SecOps-078 Incident metrics report (last quarter) RPT
Nexus SecOps-079 Crisis communication escalation matrix POL
Nexus SecOps-080 Recovery procedure documentation RUN

CTI — Cyber Threat Intelligence

Control Required Evidence Acceptable Types
Nexus SecOps-081 Threat intelligence platform configuration CFG
Nexus SecOps-082 Intelligence feed list with sources and update frequency CFG, POL
Nexus SecOps-083 IOC ingestion pipeline and SIEM integration ARCH, CFG
Nexus SecOps-084 Intelligence report sample (last 30 days) RPT
Nexus SecOps-085 Intelligence-to-detection workflow evidence TKT, RPT
Nexus SecOps-086 STIX/TAXII integration documentation CFG, ARCH
Nexus SecOps-087 Intelligence scoring/prioritization methodology POL
Nexus SecOps-088 Information sharing participation records (ISAC, etc.) AGR, RPT
Nexus SecOps-089 Threat actor profile library RPT
Nexus SecOps-090 Intelligence TTL/freshness policy POL
Nexus SecOps-091 Strategic intelligence report (quarterly) RPT
Nexus SecOps-092 Intelligence consumer feedback process POL, TKT
Nexus SecOps-093 Collection plan documentation POL
Nexus SecOps-094 Intelligence team training records TRN
Nexus SecOps-095 IOC false positive tracking LOG, TKT

AUT — Automation and SOAR

Control Required Evidence Acceptable Types
Nexus SecOps-096 SOAR platform architecture documentation ARCH
Nexus SecOps-097 Playbook inventory with action catalog CFG, POL
Nexus SecOps-098 Playbook change control records TKT
Nexus SecOps-099 Human-in-the-loop gate configuration CFG, ARCH
Nexus SecOps-100 Playbook test results (last review cycle) TEST
Nexus SecOps-101 Automation rate metrics report RPT, DASH
Nexus SecOps-102 Playbook audit log sample LOG
Nexus SecOps-103 Rollback procedure for failed automation POL, RUN
Nexus SecOps-104 API security controls for SOAR integrations CFG
Nexus SecOps-105 Automated enrichment playbook documentation RUN, CFG
Nexus SecOps-106 Auto-containment playbook with approval gates RUN, CFG
Nexus SecOps-107 Case management integration documentation CFG, ARCH
Nexus SecOps-108 SLA breach automation alerts CFG, LOG
Nexus SecOps-109 Playbook documentation standard POL
Nexus SecOps-110 Automation failure alerting configuration CFG

Evidence Quality Standards

Acceptable Evidence Requirements

Evidence submitted for assessment MUST meet these quality standards:

  1. Dated: Evidence must be dated within 12 months of assessment unless otherwise specified
  2. Authentic: Evidence must be actual operational artifacts, not created specifically for assessment
  3. Attributed: Evidence must identify the system, team, or owner responsible
  4. Sufficient: Evidence must adequately demonstrate the control capability, not just its existence
  5. Available for validation: Assessors must be able to verify the evidence is genuine

Evidence Sufficiency Levels

Score Evidence Requirement
0 — Not Implemented No evidence required; record gap
1 — Initial Informal evidence acceptable (verbal confirmation, draft document)
2 — Developing Documented policy or procedure required
3 — Defined Documented process + operational evidence (logs, dashboards)
4 — Managed Metrics demonstrating performance + process documentation
5 — Optimizing Continuous improvement evidence + measured outcomes

Evidence Not Acceptable

The following do NOT constitute acceptable evidence:

  • Vendor marketing materials claiming a product provides a capability
  • Evidence older than 24 months (except historical records)
  • Unverified screenshots without context
  • Plans or intentions to implement a control (score as 0 or 1)
  • Evidence from test/development environments unless explicitly noted

Chain of Custody for Digital Evidence

When evidence involves actual security incident artifacts, apply chain of custody procedures per Nexus SecOps-071:

1. Identify evidence: Document what was collected, from where, when
2. Preserve: Create forensic copies; do not alter originals
3. Document: Hash values, collection timestamps, collector identity
4. Secure: Access-controlled storage; encryption at rest
5. Track: Log all access to evidence
6. Maintain: Preserve until legal retention period expires

See Test Procedures for validation methods for each evidence type.