Example Evidence for Not Monitored Controls (Essential Eight)

This article is meant to provide examples of evidence for the ‘Not Monitored’ Essential Eight Controls in Drata. For each Control, you’ll find one or more examples of evidence to upload.

NOTE: This document should not be interpreted as legal advice. When supplying evidence for Controls, you should work with your legal and compliance advisors to ensure that documents are appropriate for your organization’s specific facts and circumstances. In addition, we cannot guarantee that the recommendations provided below will meet the specific requirements of your Essential Eight implementation or your auditor’s expectations.

Code	Name	Evidence
DCF-22	Network Diagram	Upload the most recent approved network diagram showing the organization’s network architecture. Example Evidence Diagram showing all in-scope systems, devices, and network connections, including servers, endpoints, routers, switches, firewalls, cloud environments, critical infrastructure, and any relevant network segmentation or data flows between security zones
DCF-69	Access Provisioning	Upload screenshots or exports showing that password requirements (complexity and minimum length) are enforced according to company policy. Example Evidence Screenshot from a system or application showing enforced password rules Export from identity or access management tools confirming password settings across in-scope systems (cloud providers, code repositories, identity providers, password vaults, VPN clients, databases storing customer data, etc.)
DCF-72	Root Access Control	Upload screenshots or exports showing that root password authentication to production resources is disabled. Example Evidence Screenshots of infrastructure-as-code configurations showing password login for root is disabled Screenshots of system settings on production VMs or containers confirming root password login is turned off
DCF-76	Critical Change Management	Upload documentation showing that hot fixes or emergency changes followed the standard change management process, or were reviewed and approved by an authorized individual after implementation. Example Evidence Screenshots or exports of pull requests/merge requests showing change control Internal tickets, emails, or other documentation showing post-implementation review and approval
DCF-98	Backup Storage	Upload screenshots, exports, or configuration settings from your backup tools showing that backups are: Encrypted Stored separately from production (e.g., different region, Recovery Services vault) Include logs or tickets showing that backup failures were detected, monitored, and resolved according to your documented procedures Example Evidence Alerts from backup tools for failed jobs and corresponding tickets documenting successful retries Configuration screenshots showing encryption and storage separation
DCF-100	Backup Restore Testing	Upload documentation of your most recent test restore of backed-up data, completed within the past year. Include details such as: Steps taken to restore the data Validation of completeness and accuracy of restored data Results, date of the test, and who approved the outcome Example Evidence Step-by-step restore documentation Screenshots or reports showing successful validation of restored data
DCF-135	Notification of Incidents or Breaches	Upload appropriately redacted evidence for at least one security incident or breach showing that notifications were provided to affected parties and/or authorities, as required. Evidence should demonstrate compliance with company policies, contractual obligations, and legal or regulatory requirements. Example Evidence Emails or letters sent to affected parties or authorities Internal logs or tickets documenting the notification process
DCF-166	Business Continuity Plan	Upload the most recent approved Business Continuity Plan (BCP) , dated within the current audit period, that outlines how the organization maintains critical operations during disruptions. Example Evidence Approved BCP document showing procedures for maintaining critical business operations during outages or disruptions
DCF-234	Updated Firmware on Wireless Devices	Upload screenshots or exports showing that firmware on wireless networking devices (e.g., routers, wireless access points) is current and has been updated according to your documented hardening procedures. Example Evidence Screenshot of the device management console showing the current firmware version Export from a device inventory or monitoring tool confirming firmware updates
DCF-244	System Security Parameters in Configuration Standards	Upload your documented server configuration standards showing that security settings are defined and applied. Example Evidence Documented server configuration standards highlighting applied security parameters Screenshots or excerpts showing enforced security settings on in-scope servers
DCF-297	Patch Management	Upload screenshots or exports from in-scope systems (or patch management tools) showing that critical patches were installed within the required timeframe across a representative sample of systems. Include a reference to your vulnerability or patch management policy that defines patch timelines based on risk. Example Evidence Screenshot from patch management tools showing applied critical patches Export or report confirming patches were installed within the required timelines Reference to the patch management policy detailing timelines and risk-based prioritization
DCF-327	System Access Roles Defined	Upload your Role-Based Access Control (RBAC) matrix or equivalent documentation that maps job roles to their required access permissions and privilege levels. Example Evidence A copy of your Role-Based Access Control (RBAC) matrix. Screenshots from your Identity and Access Management (IAM) tool defining roles and their associated permissions. Access Control policy.
DCF-342	User Authentication Methods	Upload screenshots from your Identity Provider (e.g., Okta, Azure AD) or a representative in-scope system showing that user authentication (e.g., via password, MFA) is required for access. Include a reference to your Access Control or Password Policy that requires unique user authentication for all system components. Example Evidence Screenshots from your Identity Provider (Okta, Azure AD, etc.) showing an enforced authentication policy. A screenshot from an in-scope system’s security settings requiring users to authenticate before gaining access. The relevant section of your Access Control or Password Policy.
DCF-354	MFA for Non-Console Admin Access	Upload screenshots from your Identity Provider (e.g., Okta, Azure AD, Duo) showing that Multi-Factor Authentication (MFA) is enforced for all users with administrative access. Include a reference to your Access Control Policy that explicitly requires MFA for all administrative, non-console access. Example Evidence A screenshot of your Identity Provider's policy that enforces MFA for the "Administrators" user group. Screenshots of user profiles for a sample of administrators showing that MFA is enabled and active. The relevant section of your Access Control policy mandating MFA for administrative roles.
DCF-355	MFA for Remote Access	Upload screenshots from your VPN, remote access gateway, or Identity Provider (e.g., Okta, Azure AD) showing that Multi-Factor Authentication (MFA) is required for all remote network access. Include a reference to your Access Control or Remote Access Policy that mandates MFA for all remote connections, including for employees, administrators, and third parties. Example Evidence A screenshot of your VPN client's authentication settings requiring MFA for all user groups. A screenshot from your Identity Provider showing a policy that enforces MFA for the VPN or remote access application. The relevant section of your Remote Access Policy.
DCF-409	Audit Trail for Privileged Access	Upload screenshots or exports from your logging and monitoring system (e.g., AWS CloudTrail, Azure Monitor, Splunk) that show audit trails capturing actions taken by administrative accounts. Include a reference to your Logging & Monitoring Policy that requires the logging of all administrative and privileged activities on system components. Example Evidence A screenshot from AWS CloudTrail showing a log entry for a privileged action An exported log snippet from your SIEM showing an administrator successfully logging into a production server. Logging and Monitoring Policy
DCF-412	Audit Trail for Identification and Authentication Mechanism Changes	Upload screenshots or exports from your Identity Provider (e.g., Okta, Azure AD) or logging system that show audit trails for changes to user accounts and credentials. Example Evidence A screenshot from the Azure AD audit log showing a user being added to a Global Administrator role. An exported log from Okta showing the creation of a new user account. Your Logging and Monitoring policy.
DCF-421	Clock Synchronization	Upload screenshots or configuration files from your critical systems showing that a time synchronization service (like NTP) is configured and active. Example Evidence A screenshot of the output from a command-line tool (e.g., timedatectl status on Linux) on a production server showing that NTP is active and synchronized. A screenshot of the NTP configuration settings from a network device (e.g., firewall, router). The relevant section of your Logging & Monitoring Policy
DCF-428	Secured Audit Trails	Upload screenshots or configuration settings from your logging system showing that audit trails are protected from modification and deletion (for example, write-once storage, retention locks, or role-based access controls that prevent changes).
DCF-429	Limited Access to Audit Trails	Screenshots from the logging system or system user access lists showing that audit trails can only be accessed by individuals with a business need to access them.
DCF-430	Audit Trail Files Protected	Screenshots or pictures showing that audit trails are protected from unauthorized access/modification/deletion through access control mechanisms, physical segregation, and/or logical network segregation.
DCF-433	FIM on Logs	Screenshots showing that File Integrity Monitoring Software or other change detection software is configured to generate alerts if logs are altered. Screenshots should show: System settings Which files are monitored Logs/Alerts from the FIM or Change Detection Software
DCF-435	Critical System Logs Reviewed Daily	Screenshots showing the process for reviewing the following logs at least daily: All security events. Logs of all system components that store, process, or transmit sensitive data or perform critical business functions. Logs from all critical system components. Logs of all servers and system components that perform security functions.
DCF-437	Periodic Review of Non-Critical Logs	Upload a documented risk assessment that details the risks present for non-critical systems and how those risks justify the frequency and scope of non-critical log reviews.
DCF-438	Follow-up Procedures on Log Review Anomalies and Exceptions	Upload a ticket or report for a recent security exception or anomaly that was investigated and resolved according to your procedures. Include a reference to your Incident Response Plan or Log Review Procedure that outlines the process for investigating, escalating, and resolving anomalies. Example Evidence A ticket from your case management system (e.g., Jira, ServiceNow) showing the investigation, escalation, and resolution of a security log alert. An exported report from your SIEM or security tool detailing the analysis and closure of an identified anomaly. The relevant section of your Incident Response Plan that defines the process for handling security exceptions.
DCF-456	Vulnerabilities Identified and Resolved	Upload documented records (for example, incident reports or post-incident reviews) showing that security control failures were documented and that each record includes: • Identification of cause(s) of the failure, including root cause • Duration (date and time, start to end) of the security failure • Details of the remediation required to address the root cause
DCF-524	Periodic Review of Application and System Accounts	Upload Account Review Evidence Provide documentation showing periodic reviews of application and system accounts, including the date of the review and any changes made (e.g., access modifications or account removals). Examples of Evidence Logs of accounts reviewed and changes made Meeting minutes or reports confirming review details Change request or approval records showing how updates were implemented
DCF-558	Restrictions on Software Installation and Execution	Attach Evidence for Restrictions on Software Installation and Execution Upload screenshots or exports showing mechanisms that prevent the installation and use of unauthorized software on company-managed assets. Examples include: Screenshots from MDM or endpoint management tools showing software restriction rules enforced on devices Access controls limiting which users can install or run executables Policy settings or configurations that block unapproved applications
DCF-562	Management of Utility Programs	Attach Utility Program Evidence Upload screenshots or exports showing which utility programs (e.g., antivirus, remote management tools, system monitoring software) are installed, configured, and managed. Include settings or parameters that demonstrate proper controls, such as access restrictions or execution policies.
DCF-567	Change Management Policy	Upload the most recent approved Change Management Policy that was in effect during the current audit period.
DCF-613	Identity Evidence Validation and Verification Methods	Upload appropriately redacted completed records from your onboarding process that show identity was verified for new personnel, consistent with their role. Include a reference to your Identity and Access Management (IAM) or HR Onboarding policy that defines your methods for identity verification based on risk and role. Example Evidence A completed background check report summary for a new hire in a high-risk role. A redacted and signed Form I-9, confirming verification of government-issued IDs for a new employee. A screenshot from your HRIS (e.g., Workday, BambooHR) showing the "Identity Verified" step as completed in a new hire's onboarding workflow. The relevant section of your IAM or Onboarding policy.
DCF-638	Separation of User and System Management Functions	Upload screenshots demonstrating the separation between standard user and administrative interfaces or accounts. Include a reference to your Access Control Policy that mandates the separation of user and administrative functions or accounts. Example Evidence A list of users from your Identity Provider showing that administrators have separate standard and privileged accounts (e.g., jdoe and jdoe-admin). Comparative screenshots showing a standard user's limited view versus an administrator's privileged view of the same system. The relevant section of your Access Control Policy on Separation of Duties.
DCF-650	Integrity Checks (System and Software)	Upload screenshots or logs from your systems showing that integrity verification features (like Secure Boot) are enabled and active. Example Evidence A screenshot from a server's UEFI/BIOS settings showing that Secure Boot is enabled. A screenshot from the operating system's security center (e.g., Windows Security) confirming that Secure Boot is active. An export from your endpoint management or cloud security tool showing that a sample of in-scope systems are compliant with your secure boot policy. The relevant section of your System Hardening Standard.
DCF-654	System Memory Protection	Upload screenshots, configuration exports, or policy documents showing that memory protection controls (like Data Execution Prevention, Address Space Layout Randomization, or Memory Integrity) are enabled and enforced. A screenshot from the operating system's security settings (e.g., Windows Security) confirming that "Memory Integrity" (HVCI) is enabled. A screenshot from the system's settings showing that Data Execution Prevention (DEP) is turned on for all programs and services. A screenshot of the configuration policy from your endpoint management tool (e.g., Microsoft Intune) or EDR (e.g., CrowdStrike) that shows memory protection settings are enforced across in-scope systems.
DCF-664	High-Risk Privileged Access Provisions	Upload policy documents, approval workflows, and completed request examples showing the formal process for requesting, approving, and granting access to predefined high-risk privileged roles (e.g., Global Administrator, Domain Admin, root). Example Evidence A screenshot of the relevant section from your Access Control Policy or Privileged Access Management (PAM) Policy that defines "high-risk privileged roles" and states that they require formal approval. A completed and approved access request ticket (e.g., from ServiceNow, Jira) for a high-risk role. The ticket must show the business justification, the requester, and the specific managerial and/or system owner approvals that were required and obtained. A screenshot from your Privileged Access Management (PAM) tool (e.g., CyberArk, Delinea) or Identity Provider (e.g., Azure PIM, Okta) showing the configured multi-step approval workflow required to elevate or assign a user to a high-risk role.
DCF-674	Unnecessary Software Removed or Disabled	Upload screenshots, configuration exports, or policy documents showing that a process is in place to identify, prevent, and remove software that is not required for business purposes. Example Evidence A screenshot of your Application Whitelisting policy (e.g., from Windows Defender Application Control, AppLocker, or an EDR tool) showing that it is in "Enforcement Enabled" mode, which blocks any unapproved software from running. An export from your endpoint management tool (e.g., Microsoft Intune, SCCM) showing a software inventory report for a sample of systems, which can be cross-referenced against your approved software list to identify deviations. A screenshot of a "Required Uninstall" deployment in your management tool (e.g., SCCM) showing that unauthorized software (like "FileZilla" or "uTorrent") is being actively removed from endpoints, along with the corresponding deployment status report showing success. The relevant section of your System Hardening Standard or CIS Benchmark policy that explicitly lists unnecessary software, features, or server roles (e.g., "Web Server (IIS)," "Telnet Client") that must be disabled or removed.
DCF-677	Software Update and Patch Management	Upload evidence showing that automated mechanisms have been implemented to install security upgrades to operating systems. Examples include: • Screenshots showing unattended upgrades configured on in-scope systems • Infrastructure-as-code configuration snippets (for example, apt-get update/upgrade) that demonstrate automated patching • Screenshots of management consoles for patch management tools (such as Automox, WSUS, Intune) showing applied update policies and deployment status
DCF-698	Automated Mechanisms for Audit Log Reviews	Upload evidence to demonstrate that your organization has implemented automated mechanisms for audit record reduction and log analysis. Examples: System Configuration Documentation: Documentation for your SIEM or log management platform showing how automated log reduction and correlation are configured. Log Management System Reports: Reports from your log management system demonstrating automated log reduction and correlated event analysis.
DCF-716	Application and System Accounts Authorized	Upload company’s access control policies, access request forms or approval tickets, access logs demonstrating privileges align with system needs, signed management approval for provisioning access, and periodic access review records. Examples: Access Control Policies: Upload the company’s access control policies that define the rules and requirements for granting, managing, and reviewing access to systems. Access Request Forms or Approval Tickets: Provide sample access request forms or approval tickets showing how access is requested and approved. Access Logs: Include access logs that show how user privileges align with system needs, ensuring users only have the necessary access. Signed Management Approval: Upload signed management approval records for access provisioning to demonstrate that access was granted with appropriate oversight. Periodic Access Review Records: Provide documentation showing the periodic review of user access, confirming that access privileges are reassessed regularly.
DCF-725	MFA Configured to Prevent Misuse	Upload screenshots from your Identity Provider (IdP) and exception management system showing that MFA is enforced for all users, requires multiple distinct factors, is configured to prevent replay attacks, and has a formal, time-limited exception process. Example Evidence A screenshot of the primary MFA enforcement policy (e.g., Azure AD Conditional Access, Okta Sign-On Policy) A screenshot of the Authentication Methods or Factor Configuration page in your IdP. A redacted example of a completed exception ticket (e.g., from ServiceNow, Jira) showing the required business justification, explicit management approval, and a specific expiration date for the temporary MFA bypass
DCF-726	Interactive Use of System and Application Accounts Managed	Upload screenshots from your identity management systems (e.g., Active Directory, PAM) and ticketing system showing that service/application accounts are prevented from interactive login by default, and that any exceptions are formally approved, time-limited, and audited. Example Evidence A screenshot of a Group Policy Object (GPO) applied to your service accounts Organizational Unit (OU). A redacted example of a completed exception ticket (e.g., from ServiceNow, Jira). The ticket must clearly show the specific service account, the business justification for interactive use, explicit management approval, and a defined, temporary time period for the access.
DCF-727	Passwords for System and Application Accounts Changed Periodically	Upload screenshots from your Privileged Access Management (PAM) tool or identity systems, relevant policy documents, and change/incident records. This evidence must show that service/application account passwords meet complexity standards, are rotated based on risk, and are changed upon suspected compromise. Example Evidence A screenshot from your PAM tool (e.g., CyberArk, Delinea, Azure Key Vault) or Group Policy Object (GPO). This must highlight the password complexity policy (e.g., minimum length of 20+, character types) applied to your service and application accounts. A screenshot from your PAM tool's platform settings showing the configured automatic password rotation frequency (e.g., "Rotate every 90 days") for a sample of in-scope system accounts. A redacted example of a completed incident ticket or change request (e.g., from ServiceNow, Jira). This must show an instance where a service account password was changed out-of-band with the justification listed as "suspicion of compromise" or as part of a security incident remediation.
DCF-744	Contact with Authorities	Upload evidence of incident response procedures/playbooks or documented communication plans showing that your organization has identified and documented authorities to be contacted (such as law enforcement, regulatory bodies, supervisory authorities) as well as the events or circumstances that would require communication and the methods and responsibilities for communication with authorities. Maintaining such contacts can be a requirement to support information security incident management or the contingency planning and business continuity processes. Contacts with regulatory bodies are also useful to anticipate and prepare for upcoming changes in relevant laws or regulations that affect the organization.
DCF-747	Secure Log-on for Customers	Upload evidence to show that customers are provided with the capabilities for secure log-on for any user accounts under their control (e.g., screenshots showing that customers can enable single sign-on, multi-factor authentication, and complex password requirements, screenshots showing passwords are masked when users attempt to login, screenshots showing minimal information disclosures in authentication error messages, etc.)
DCF-785	Supported System Components	Upload evidence demonstrating that only supported system components are used, such as: Asset Management Policy Screenshots or reports of configuration standards for in-scope applications and platforms showing supported versions
DCF-793	Dedicated Accounts or Roles for Admin Functions	1. Documented policy and procedure requiring the use of separate, dedicated administrator accounts for administrative or security functions and how standard accounts are restricted from elevated privileges. 2. Access control logs demonstrating that administrative activities are only performed with dedicated admin accounts. 3. Evidence that standard user accounts are not used for privileged activities. 4. Screenshots from your IAM tools (e.g., Okta, Azure AD, AWS IAM) showing separate admin and standard user role configurations.
DCF-885	Active Discovery Tool Deployment	1. Policies outlining the use of active discovery tools for asset identification and network visibility. 2. Screenshots from the discovery tool (e.g., Nessus, Qualys, Rapid7) showing: Active scanning schedules (at least daily). Network ranges being monitored.
DCF-886	DHCP Logging and IP Address Management	1. A documented policy outlining the use of DHCP logging and/or IPAM tools to track and update the asset inventory and procedures specifying log review frequency (at least weekly) and update processes. 2. Screenshots from DHCP servers or IPAM tools (e.g., Infoblox, SolarWinds) showing: Logging is enabled. Active tracking of IP addresses and associated assets.
DCF-887	Passive Network Discovery for Asset Inventory Management	1. A documented policy specifying the use of a passive discovery tool for continuous asset identification and procedures for reviewing scan results and updating the asset inventory at least weekly. 2. Screenshots from the passive discovery tool (e.g., Darktrace, ExtraHop, ARP monitoring) showing continuous monitoring and scheduled scans. 3. Reports of scan results demonstrating asset detection and visibility
DCF-890	Authorized Libraries Allowlist	1. A documented policy specifying the use of technical controls (e.g., allowlisting) to restrict system processes to authorized software libraries (.dll, .ocx, .so, etc.) and procedures for bi-annual reassessment of the allowlist. 2. Screenshots or configuration settings from security tools (e.g., Microsoft AppLocker, Windows Defender Application Control, CrowdStrike) demonstrating allowlisting enforcement. 3. Logs of blocked unauthorized libraries attempting to load.
DCF-891	Authorized Scripts Allowlist	1. A documented policy outlining the use of technical controls (e.g., digital signatures, version control, allowlisting) to restrict script execution to authorized scripts (.ps1, .py, etc.) and procedures for bi-annual reassessment of the script allowlist. 2. Screenshots or configuration settings from security tools (e.g., Microsoft AppLocker, PowerShell Constrained Language Mode, AWS Lambda Policies) demonstrating enforced allowlisting. 3. Logs showing successful execution of authorized scripts and prevention of unauthorized ones.
DCF-899	Collection of Command Line Audit Logs	Upload evidence of the process for collecting command-line audit logs from systems and service providers. Examples: Audit Logging Policy or Procedure: A documented policy that defines which command-line activity is logged (e.g., shell commands, PowerShell, terminal usage), how logs are collected, and where they are stored. System Configuration Files or Scripts: Configuration files (e.g., auditd.conf, Windows Audit Policy settings, or bash history settings) showing command-line logging is enabled. SIEM or Log Aggregation Reports: Screenshots or exports from a SIEM (e.g., Splunk, Sentinel) confirming collection of command-line logs from endpoints or servers, including examples of logged command entries. Log Samples: Real command entries with user, timestamp, and command details. Log Review Records: Documentation showing that command-line logs are reviewed regularly and that anomalies are investigated and resolved (for example, security tickets, alert configurations, or audit reports).

Example Evidence for Not Monitored Controls (HIPAA)

Example Evidence for Not Monitored Controls (ISO 27001)

Example Evidence for Not Monitored Controls (SOC 2)

Example Evidence for Not Monitored Controls (CIS 8.1)

Example Evidence for Not Monitored Controls (NIST 800-171 Rev 3)