Back

Review and update event logs and audit logs, as necessary.


CONTROL ID
00596
CONTROL TYPE
Log Management
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Include a standard to collect and interpret event logs in the event logging procedures., CC ID: 00643

This Control has the following implementation support Control(s):
  • Eliminate false positives in event logs and audit logs., CC ID: 07047
  • Correlate log entries to security controls to verify the security control's effectiveness., CC ID: 13207
  • Identify cybersecurity events in event logs and audit logs., CC ID: 13206
  • Follow up exceptions and anomalies identified when reviewing logs., CC ID: 11925


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Regular reviews of the security parameter settings of network devices such as routers, firewalls and network servers are required to ensure that they remain current. Audit trails of daily activities in critical network devices should be maintained and reviewed regularly. Network operational personne… (6.2.3, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • A security administration function and a set of formal procedures should be established for administering the allocation of access rights to system resources and application systems, and monitoring the use of system resources to detect any unusual or unauthorized activities. In particular, the funct… (3.3.1, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • App 2-1 Item Number IV.4(4): Data usage must be recorded and reviewed on a periodic basis. This is a control item that constitutes a relatively small risk to financial information. This is an IT general control. App 2-1 Item Number IV.5(7): Output data usage must be recorded and reviewed on a period… (App 2-1 Item Number IV.4(4), App 2-1 Item Number IV.5(7), App 2-1 Item Number IV.6(3), App 2-1 Item Number IV.7(5), App 2-1 Item Number IV.8(3), App 2-1 Item Number IV.8(5), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • The organization shall check the audit trails periodically. (T37, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • Analytical results on the error logs since the last maintenance and inspection (P51.4. ¶ 1(5), FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • In order to ensure the correctness of operations, it is necessary to check the progress of operations during the execution and maintenance of operation records to make sure that the requested operations have been processed as instructed. (P38.1., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • It is recommended that proper provisions should be made to allow analysis and reporting of unauthorized access based on the audit trails. This protection is essential for the systems that handle personal data. (P10.2., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • For the early detection of unauthorized access and clarification of its causes, it is necessary to check access recording. (P25.2. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Considering possible failures involving CDs/ATMs, etc., it is necessary to prepare communication networks and communication methods for the time periods (nighttime, Saturday, Sunday, public holidays, etc.) subject to unmanned monitoring and to review them periodically. (P70.3., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Conducting regular audit or management review of the logs (Critical components of information security 5) (xiii) g), Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Error / exception reports and logs need to be reviewed and any issues need to be remedied /addressed at the earliest. (Critical components of information security 11) c.22., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Reviewing the position of security incidents and various information security assessments and monitoring activities across the bank (Information Security Committee ¶ 3 Bullet 4, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • All application systems need to have audit trails along with policy/procedure of log monitoring for such systems including the clear allocation of responsibility in this regard. Every application affecting critical/sensitive information, for example, impacting financial, customer, control, regulator… (Critical components of information security 11) c.5., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Security personnel and/or administrators designated in this regard should identify anomalies in logs and actively review the anomalies, documenting their findings on an ongoing basis (Critical components of information security 21) v.c., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Logging remote access communications, analyzing them in a timely manner, and following up on anomalies (Critical components of information security 25) iii.h., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • The error logs pertaining to the pre-migration/ migration/ post migration period along with root cause analysis and action taken need to be available for review. (Critical components of information security 12) (iv), Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • The FI should regularly review security logs of systems, applications and network devices for anomalies. (§ 9.6.5, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • A process to collect, process, review and retain system logs should be established to facilitate the FI's security monitoring operations. These logs should be protected against unauthorised access. (§ 12.2.2, Technology Risk Management Guidelines, January 2021)
  • Implement measures to ensure ICT system logs are reviewed regularly for security violations and possible breaches. (Annex A1: Compliance, Testing and Audits 16, Singapore(PDPC) Guide to Securing Personal Data in Electronic Medium, Revised 20 January 2017)
  • A representative sample of security events generated by a CDS, relating to the enforcement of data transfer policies, is taken at least every 3 months and assessed against the security policies that the CDS is responsible for enforcing between security domains. (Security Control: 1523; Revision: 0, Australian Government Information Security Manual, March 2021)
  • Event logs are analysed in a timely manner to detect cyber security events. (Control: ISM-0109; Revision: 8, Australian Government Information Security Manual, June 2023)
  • Data transfer logs for systems are partially verified at least monthly. (Control: ISM-1294; Revision: 5, Australian Government Information Security Manual, June 2023)
  • Data transfer logs for SECRET and TOP SECRET systems are fully verified at least monthly. (Control: ISM-0660; Revision: 9, Australian Government Information Security Manual, June 2023)
  • When using a software-based isolation mechanism to share a physical server's hardware, integrity and log monitoring are performed for the isolation mechanism and underlying operating system in a timely manner. (Control: ISM-1607; Revision: 0, Australian Government Information Security Manual, June 2023)
  • Event logs are analysed in a timely manner to detect cyber security events. (Control: ISM-0109; Revision: 8, Australian Government Information Security Manual, September 2023)
  • Data transfer logs for systems are partially verified at least monthly. (Control: ISM-1294; Revision: 5, Australian Government Information Security Manual, September 2023)
  • Data transfer logs for SECRET and TOP SECRET systems are fully verified at least monthly. (Control: ISM-0660; Revision: 9, Australian Government Information Security Manual, September 2023)
  • When using a software-based isolation mechanism to share a physical server's hardware, integrity and log monitoring are performed for the isolation mechanism and underlying operating system in a timely manner. (Control: ISM-1607; Revision: 0, Australian Government Information Security Manual, September 2023)
  • The procedures for reviewing manual logs and system audit trails, especially for privileged users, should be included in the Standard Operating Procedures for the information technology security officer. (Control: 0790 Table Row "Audit logs", Australian Government Information Security Manual: Controls)
  • The organization must develop, maintain, and implement tools and procedures for incorporating audit analysis into the detection of potential cyber security incidents. (Control: 0120 Bullet 3, Australian Government Information Security Manual: Controls)
  • The database event logs should be audited for signs of attempted and successful cyber intrusions on a regular basis. (Control: 1283, Australian Government Information Security Manual: Controls)
  • The organization must develop and document the auditing requirements for event logs, that includes the audit schedule. (Control: 0109 Bullet 2, Australian Government Information Security Manual: Controls)
  • The organization must develop, implement, and maintain an intrusion detection and prevention strategy that includes analyzing event logs, including Intrusion Detection System logs and Intrusion Prevention System logs. (Control: 0576 Bullet 2, Australian Government Information Security Manual: Controls)
  • The organization must audit the complete data transfer logs at least monthly for classified systems, when importing data to each security domain and through the gateway. (Control: 0660, Australian Government Information Security Manual: Controls)
  • The organization must audit the complete data transfer logs at least monthly on classified systems, when exporting data out of each security domain and through a gateway. (Control: 0673, Australian Government Information Security Manual: Controls)
  • The organization should conduct monthly audits of imported content, when it imports content to a security domain and through a gateway. (Control: 1294, Australian Government Information Security Manual: Controls)
  • The organization should conduct monthly audits of exported content, when it exports content out of a security domain and through a gateway. (Control: 1295, Australian Government Information Security Manual: Controls)
  • Information technology asset owners should review user access on a regular basis. (¶ 44(h), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • regular reviews of user access by IT asset owners to ensure appropriate access is maintained; (¶ 44(h), APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • A sufficient number of trained personnel should exist to review and analyze the logs for potential violations. (§ 3.7.28, Australian Government ICT Security Manual (ACSI 33))
  • The organization should analyze the logs of allowed and blocked network activity on a regular basis. (Mitigation Strategy Effectiveness Ranking 23, Strategies to Mitigate Targeted Cyber Intrusions)
  • The organization should analyze the logs of successful and unsuccessful computer events on a regular basis. (Mitigation Strategy Effectiveness Ranking 24, Strategies to Mitigate Targeted Cyber Intrusions)
  • Logging of user activities: at a minimum, all activities by privileged users should be logged and monitored. Access logs should be secured to prevent unauthorised modification or deletion and retained for a period commensurate with the criticality of the identified business functions, supporting pro… (3.4.2 31(d), Final Report EBA Guidelines on ICT and security risk management)
  • Audit trails need to be reviewed on a regular basis. (¶ 9, EudraLex, The Rules Governing Medicinal Products in the European Union, Volume 4 Good Manufacturing Practice, Medicinal Products for Human and Veterinary Use Annex 11: Computerised Systems, SANCO/C8/AM/sl/ares(2010)1064599)
  • The records and logs of the detection safeguards must be evaluated regularly. (§ 8.3 Subsection 2 ¶ 2, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • Policies and instructions with technical and organisational safeguards are documented, communicated and provided according to SA-01 in order to log events on all assets which are used for the development or operation of the cloud service and to store them in a central place. The logging includes def… (Section 5.6 RB-10 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Review of security-relevant incidents, operational disruptions or failures and interruptions that are related to the service (Section 5.12 DLL-02 Basic requirement ¶ 1 Bullet 2, Cloud Computing Compliance Controls Catalogue (C5))
  • Physical and virtualised network environments are designed and configured in such a way that the connections between trusted and untrusted networks must be restricted and monitored. At defined intervals, it is reviewed whether the use of all services, logs and ports serve a real commercial purpose. … (Section 5.9 KOS-02 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Event logs are checked regularly for rule violations and noticeable problems in compliance with the permissible legal and organizational provisions. (5.2.4 Requirements (must) Bullet 5, Information Security Assessment, Version 5.1)
  • Do administrators regularly review all Virtual Private Network log files, system log files, firewall logs, Intrusion Detection System logs, etc.? (Table Row II.22, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Does someone regularly check the audit trails of key card access systems? (Table Row II.56, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • If logs are kept, how often are they reviewed? (Table Row VII.7, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Does management review the log files on a regular basis? (Table Row VII.8, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Are daily audits of network logs conducted? (Table Row XI.3, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Does the organization monitor all wireless logs at least once a week? (Table Row XIII.19, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Does the organization scan critical host logs daily? (Table Row XIII.19, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Log files should be viewed on a regular basis. If log files are not reviewed regularly, suspicious activity may go unnoticed. (Pg 132, Pg 134, Mac OS X Security Configuration for version 10.4 or later, second edition, Second Edition)
  • Review firewall logs regularly. (§ 3-4, MasterCard Electronic Commerce Security Architecture Best Practices, April 2003)
  • How are audit logs monitored and reviewed? (Appendix D, Regularly Monitor and Test Networks Bullet 5, Information Supplement: PCI DSS Cloud Computing Guidelines, Version 2.0)
  • Implement processes and policies that include regularly reviewing and acting on the data provided by the IDS/IPS. (4.3.5 F, Information Supplement: PCI DSS Wireless Guidelines, Version 2.0)
  • Through observation verify that regular log reviews are performed for all system components. (§ 10.6, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
  • Through interviews verify that regular log reviews are performed for all system components. (§ 10.6, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
  • Get and examine security policies and procedures to verify that they include procedures to review security logs at least daily and that follow-up to exceptions is required. (§ 10.6.a, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
  • Verify the shared hosting provider has enabled logging to be available for review by the owning entity. (App A Testing Procedures § A.1.3 Bullet 3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Appendix A: Additional PCI DSS Requirements for Shared Hosting Providers, 3)
  • Examine the security policies and procedures to verify all security events are defined to be reviewed at least daily, either manually or with audit log tools. (Testing Procedures § 10.6.1.a Bullet 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Examine the security policies and procedures to verify audit logs of system components that process, store, or transmit cardholder data and/or sensitive authentication data or that could impact the security of sensitive authentication data and/or cardholder data are defined to be reviewed at least d… (Testing Procedures § 10.6.1.a Bullet 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Examine the security policies and procedures to verify audit logs of all critical system components are defined to be reviewed at least daily, either manually or with audit log tools. (Testing Procedures § 10.6.1.a Bullet 3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Examine the security policies and procedures to verify audit logs of all servers and system components that perform security functions are defined to be reviewed at least daily, either manually or with audit log tools. (Testing Procedures § 10.6.1.a Bullet 4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Examine the security policies and procedures to verify audit logs of other system components not stated in requirement 10.6.1 are defined to be reviewed periodically, either manually or with audit log tools. (Testing Procedures § 10.6.2.a, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Interview personnel and observe processes to verify all security events are reviewed at least daily. (Testing Procedures § 10.6.1.b Bullet 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Interview personnel and observe processes to verify the audit logs of system components that process, store, or transmit cardholder data and/or sensitive authentication data or could impact sensitive authentication data and/or cardholder data are reviewed at least daily. (Testing Procedures § 10.6.1.b Bullet 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Interview personnel and observe processes to verify the audit logs of all critical system components are reviewed at least daily. (Testing Procedures § 10.6.1.b Bullet 3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Interview personnel and observe processes to verify the audit logs of all system components and servers that perform security functions are reviewed at least daily. (Testing Procedures § 10.6.1.b Bullet 4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Interview personnel and examine the risk assessment to verify audit log reviews are conducted in accordance with the Risk Management strategy and the organization's policies. (Testing Procedures § 10.6.2.b, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • The organization must ensure all logs are reviewed on a daily basis. (§ 10.6, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Through observation verify that regular log reviews are performed for all system components. (§ 10.6.b Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Through interviews verify that regular log reviews are performed for all system components. (§ 10.6.b Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Obtain and examine security policies and procedures to verify that they include procedures to review security logs at least daily and that follow-up to exceptions is required. (§ 10.6.a Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Verify that viewing of log entries is restricted to the owning entity. (§ A.1.2.d Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Verify logs are available for review by the owning entity. (§ A.1.3 Bullet 3 Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Logs and security events must be reviewed to identify suspicious activity and anomalies. (PCI DSS Requirements § 10.6, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • All security event logs must be reviewed at least daily. (PCI DSS Requirements § 10.6.1 Bullet 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • The audit logs of system components that process, store, or transmit cardholder data and/or sensitive authentication data or could impact the security of cardholder data and/or sensitive authentication data must be reviewed at least daily. (PCI DSS Requirements § 10.6.1 Bullet 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • The audit logs of all critical system components must be reviewed at least daily. (PCI DSS Requirements § 10.6.1 Bullet 3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • The audit logs of all servers and system components that perform security functions must be reviewed at least daily. (PCI DSS Requirements § 10.6.1 Bullet 4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • The audit logs of other system components not stated under requirement 10.6.1 must be reviewed periodically. (PCI DSS Requirements § 10.6.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Review logs and security events for all system components to identify anomalies or suspicious activity. (10.6, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Review logs of all other system components periodically based on the organization’s policies and risk management strategy, as determined by the organization’s annual risk assessment. (10.6.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Review the following at least daily: - All security events - Logs of all system components that store, process, or transmit CHD and/or SAD - Logs of all critical system components - Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection… (10.6.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Review logs of all other system components periodically based on the organization’s policies and risk management strategy, as determined by the organization’s annual risk assessment. (10.6.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Review logs and security events for all system components to identify anomalies or suspicious activity. (10.6, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Review the following at least daily: - All security events - Logs of all system components that store, process, or transmit CHD and/or SAD - Logs of all critical system components - Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection… (10.6.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Review the following at least daily: - All security events - Logs of all system components that store, process, or transmit CHD and/or SAD - Logs of all critical system components - Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection… (10.6.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Review logs and security events for all system components to identify anomalies or suspicious activity. (10.6, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Review logs of all other system components periodically based on the organization’s policies and risk management strategy, as determined by the organization’s annual risk assessment. (10.6.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Are logs and security events for all system components reviewed to identify anomalies or suspicious activity as follows? (10.6, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
  • Are the following logs and security events reviewed at least daily, either manually or via log tools? - All security events 
 - Logs of all system components that store, 
process, or transmit CHD and/or SAD 
 - Logs of all critical system components 
 - Logs of all servers and system compon… (10.6.1 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
  • Are logs of all other system components periodically reviewed—either manually or via log tools—based on the organization’s policies and risk management strategy? (10.6.2 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
  • Are the following logs and security events reviewed at least daily, either manually or via log tools? - All security events 
 - Logs of all system components that store, 
process, or transmit CHD and/or SAD 
 - Logs of all critical system components 
 - Logs of all servers and system compon… (10.6.1(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
  • Are logs of all other system components periodically reviewed—either manually or via log tools—based on the organization’s policies and risk management strategy? (10.6.2(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
  • Are logs and security events for all system components reviewed to identify anomalies or suspicious activity as follows? (10.6, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.1)
  • Are the following logs and security events reviewed at least daily, either manually or via log tools? - All security events - Logs of all system components that store, process, or transmit CHD and/or SAD - Logs of all critical system components - Logs of all servers and system components that perfor… (10.6.1 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.1)
  • Are logs of all other system components periodically reviewed—either manually or via log tools—based on the organization’s policies and risk management strategy? (10.6.2 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.1)
  • Are the following logs and security events reviewed at least daily, either manually or via log tools? - All security events - Logs of all system components that store, process, or transmit CHD and/or SAD - Logs of all critical system components - Logs of all servers and system components that perfor… (10.6.1(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
  • Are logs of all other system components periodically reviewed—either manually or via log tools—based on the organization’s policies and risk management strategy? (10.6.2(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
  • Are logs and security events for all system components reviewed to identify anomalies or suspicious activity as follows? (10.6, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Are the above logs and security events reviewed at least daily? (10.6.1 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Are written policies and procedures defined for reviewing the following at least daily, either manually or via log tools? - All security events - Logs of all system components that store, process, or transmit CHD and/or SAD - Logs of all critical system components - Logs of all servers and system co… (10.6.1 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Are written policies and procedures defined for reviewing logs of all other system components periodically—either manually or via log tools— based on the organization’s policies and risk management strategy? (10.6.2 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Are logs and security events for all system components reviewed to identify anomalies or suspicious activity as follows? (10.6, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Are written policies and procedures defined for reviewing the following at least daily, either manually or via log tools? - All security events - Logs of all system components that store, process, or transmit CHD and/or SAD - Logs of all critical system components - Logs of all servers and system co… (10.6.1(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Are written policies and procedures defined for reviewing logs of all other system components periodically—either manually or via log tools— based on the organization’s policies and risk management strategy? (10.6.2(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Are the above logs and security events reviewed at least daily? (10.6.1(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Are reviews of all other system components performed in accordance with organization’s policies and risk management strategy? (10.6.2(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Are the above logs and security events reviewed at least daily? (10.6.1 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Are reviews of all other system components performed in accordance with organization’s policies and risk management strategy? (10.6.2 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Are written policies and procedures defined for reviewing the following at least daily, either manually or via log tools? - All security events - Logs of all system components that store, process, or transmit CHD and/or SAD - Logs of all critical system components - Logs of all servers and system co… (10.6.1(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Are the above logs and security events reviewed at least daily? (10.6.1(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Are reviews of all other system components performed in accordance with organization’s policies and risk management strategy? (10.6.2(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Are written policies and procedures defined for reviewing logs of all other system components periodically—either manually or via log tools—based on the organization’s policies and risk management strategy? (10.6.2(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Are logs and security events for all system components reviewed to identify anomalies or suspicious activity as follows? (10.6, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Perform the following: (10.6, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Examine security policies and procedures to verify that procedures are defined for reviewing the following at least daily, either manually or via log tools: - All security events - Logs of all system components that store, process, or transmit CHD and/or SAD - Logs of all critical system components … (10.6.1.a, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Observe processes and interview personnel to verify that the following are reviewed at least daily: - All security events - Logs of all system components that store, process, or transmit CHD and/or SAD - Logs of all critical system components - Logs of all servers and system components that perform … (10.6.1.b, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Examine security policies and procedures to verify that procedures are defined for reviewing logs of all other system components periodically—either manually or via log tools—based on the organization’s policies and risk management strategy. (10.6.2.a, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Examine the organization’s risk-assessment documentation and interview personnel to verify that reviews are performed in accordance with organization’s policies and risk management strategy. (10.6.2.b, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Monitor firewall logs daily for wireless traffic entering the Cardholder Data Environment (CDE). (§ 3.3.1.C, Payment Card Industry (PCI) Information Supplement: PCI DSS Wireless Guideline)
  • All security events. (10.4.1 Bullet 1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Logs of all system components that store, process, or transmit CHD and/or SAD. (10.4.1 Bullet 2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Logs of all critical system components. (10.4.1 Bullet 3, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Logs of all servers and system components that perform security functions (for example, network security controls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers). (10.4.1 Bullet 4, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Logs of all other system components (those not specified in Requirement 10.4.1) are reviewed periodically. (10.4.2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Automated mechanisms are used to perform audit log reviews. (10.4.1.1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Examine documented results of periodic log reviews of all other system components (not defined in Requirement 10.4.1) and interview personnel to verify log reviews are performed at the frequency specified in the entity's targeted risk analysis performed for this requirement. (10.4.2.1.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Examine security policies and procedures to verify that processes are defined for reviewing all elements specified in this requirement at least once daily. (10.4.1.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Observe processes and interview personnel to verify that all elements specified in this requirement are reviewed at least once daily (10.4.1.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Examine security policies and procedures to verify that processes are defined for reviewing logs of all other system components periodically. (10.4.2.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Examine documented results of log reviews and interview personnel to verify that log reviews are performed periodically. (10.4.2.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Examine log review mechanisms and interview personnel to verify that automated mechanisms are used to perform log reviews. (10.4.1.1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Are all security events reviewed at least daily, either manually or via log tools? (PCI DSS Question 10.6.1(b) Bullet 1, PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
  • Are the logs of all system components that store, process, or transmit CHD and/or SAD, or that could impact the security of CHD and/or SAD reviewed at least daily, either manually or via log tools? (PCI DSS Question 10.6.1(b) Bullet 2, PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
  • Are the logs of all critical system components reviewed at least daily, either manually or via log tools? (PCI DSS Question 10.6.1(b) Bullet 3, PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
  • Are the logs of all servers and system components that perform security functions (for example, firewalls, intrusion detection systems (IDS), intrusion prevention systems (IPS), authentication servers, e-commerce redirection servers, etc.) reviewed at least daily, either manually or via log tools? (PCI DSS Question 10.6.1(b) Bullet 4, PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
  • Are logs of all other system components periodically reviewed, either manually or via log tools, based on the organization's policies and risk management strategy? (PCI DSS Question 10.6.2(b), PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
  • Are all security events reviewed at least daily, either manually or via log tools? (PCI DSS Question 10.6.1(b) Bullet 1, PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
  • Are the logs of all system components that store, process, or transmit CHD and/or SAD, or that could impact the security of CHD and/or SAD reviewed at least daily, either manually or via log tools? (PCI DSS Question 10.6.1(b) Bullet 2, PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
  • Are the logs of all critical system components reviewed at least daily, either manually or via log tools? (PCI DSS Question 10.6.1(b) Bullet 3, PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
  • Are the logs of all servers and system components that perform security functions (for example, firewalls, intrusion detection systems (IDS), intrusion prevention systems (IPS), authentication servers, e-commerce redirection servers, etc.) reviewed at least daily, either manually or via log tools? (PCI DSS Question 10.6.1(b) Bullet 4, PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
  • Are reviews of all other system components performed in accordance with organization's policies and risk management strategy? (PCI DSS Question 10.6.2(b), PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
  • Are written policies and procedures defined for reviewing all security events at least daily, either manually or via log tools? (PCI DSS Question 10.6.1(a) Bullet 1, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Are written policies and procedures defined for reviewing the logs of all system components that store, process, or transmit CHD and/or SAD, or that could impact the security of CHD and/or SAD at least daily, either manually or via log tools? (PCI DSS Question 10.6.1(a) Bullet 2, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Are written policies and procedures defined for reviewing the logs of all critical system components at least daily, either manually or via log tools? (PCI DSS Question 10.6.1(a) Bullet 3, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Are written policies and procedures defined for reviewing the logs of all servers and system components that perform security functions (for example, firewalls, intrusion detection systems (IDS), intrusion prevention systems (IPS), authentication servers, e-commerce redirection servers, etc.) at lea… (PCI DSS Question 10.6.1(a) Bullet 4, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Are the logs and security events from Requirement 10.6.1 reviewed at least daily? (PCI DSS Question 10.6.1(b), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Are written policies and procedures defined for reviewing logs of all other system components periodically, either manually or via log tools, based on the organization's policies and risk management strategy? (PCI DSS Question 10.6.2(a), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Are reviews of all other system components performed in accordance with organization's policies and risk management strategy? (PCI DSS Question 10.6.2(b), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Are written policies and procedures defined for reviewing all security events at least daily, either manually or via log tools? (PCI DSS Question 10.6.1(a) Bullet 1, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Are written policies and procedures defined for reviewing the logs of all system components that store, process, or transmit CHD and/or SAD, or that could impact the security of CHD and/or SAD at least daily, either manually or via log tools? (PCI DSS Question 10.6.1(a) Bullet 2, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Are written policies and procedures defined for reviewing the logs of all critical system components at least daily, either manually or via log tools? (PCI DSS Question 10.6.1(a) Bullet 3, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Are written policies and procedures defined for reviewing the logs of all servers and system components that perform security functions (for example, firewalls, intrusion detection systems (IDS), intrusion prevention systems (IPS), authentication servers, e-commerce redirection servers, etc.) at lea… (PCI DSS Question 10.6.1(a) Bullet 4, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Are the logs and security events from Requirement 10.6.1 reviewed at least daily? (PCI DSS Question 10.6.1(b), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Are written policies and procedures defined for reviewing logs of all other system components periodically, either manually or via log tools, based on the organization's policies and risk management strategy? (PCI DSS Question 10.6.2(a), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Are reviews of all other system components performed in accordance with organization's policies and risk management strategy? (PCI DSS Question 10.6.2(b), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Ensure that any audit or logging capability is enabled. Additionally, regularly inspect system logs and reports for abnormal activity. If abnormal activity is suspected or discovered, discontinue access to the mobile device and its payment application until the issue has been resolved. Abnormal acti… (¶ 6.5.2, PCI Mobile Payment Acceptance Security Guidelines for Merchants as End-Users, Version 1.1)
  • All security events. (10.4.1 Bullet 1, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Logs of all system components that store, process, or transmit CHD and/or SAD. (10.4.1 Bullet 2, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Logs of all critical system components. (10.4.1 Bullet 3, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Logs of all servers and system components that perform security functions (for example, network security controls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers). (10.4.1 Bullet 4, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Automated mechanisms are used to perform audit log reviews. (10.4.1.1, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Logs of all other system components (those not specified in Requirement 10.4.1) are reviewed periodically. (10.4.2, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Automated mechanisms are used to perform audit log reviews. (10.4.1.1, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Logs of all other system components (those not specified in Requirement 10.4.1) are reviewed periodically. (10.4.2, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • All security events. (10.4.1 Bullet 1, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Logs of all system components that store, process, or transmit CHD and/or SAD. (10.4.1 Bullet 2, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Logs of all critical system components. (10.4.1 Bullet 3, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Logs of all servers and system components that perform security functions (for example, network security controls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers). (10.4.1 Bullet 4, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Automated mechanisms are used to perform audit log reviews. (10.4.1.1, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Logs of all other system components (those not specified in Requirement 10.4.1) are reviewed periodically. (10.4.2, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • All security events. (10.4.1 Bullet 1, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Logs of all system components that store, process, or transmit CHD and/or SAD. (10.4.1 Bullet 2, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Logs of all servers and system components that perform security functions (for example, network security controls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers). (10.4.1 Bullet 4, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Logs of all critical system components. (10.4.1 Bullet 3, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • All security events. (10.4.1 Bullet 1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Logs of all critical system components. (10.4.1 Bullet 3, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Logs of all servers and system components that perform security functions (for example, network security controls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers). (10.4.1 Bullet 4, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Logs of all system components that store, process, or transmit CHD and/or SAD. (10.4.1 Bullet 2, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Automated mechanisms are used to perform audit log reviews. (10.4.1.1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Logs of all other system components (those not specified in Requirement 10.4.1) are reviewed periodically. (10.4.2, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • When monitoring the transactions and authorizations, the organization should check for identical transaction amounts; multiple transactions from the same Internet Protocol (IP) address; multiple transactions on a single card over a short period of time; transactions on similar account numbers; unusu… (Pg 54, VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Business)
  • The Chief Audit Executive (CAE) can review test results to identify problem areas after tests have been run during an audit. For continuous auditing, the auditing process must remain flexible and be able to respond to changes in the control environment and exposures. The efficiency and effectiveness… (§ 6 (Manage and Report Results) ¶ 5, § 6 (Manage and Report Results) ¶ 11, IIA Global Technology Audit Guide (GTAG) 3: Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment)
  • In order to operate a system, administrative access is required. IT auditors should ensure system administrators only have access required to perform their job responsibilities. Consideration also should be given to performing periodic independent reviews of audit trails. (App A.7, IIA Global Technology Audit Guide (GTAG) 4: Management of IT Auditing)
  • Audit trails should be reviewed for suspicious activity by independent audit groups on an irregular interval. (Pg 12-IV-4, Protection of Assets Manual, ASIS International)
  • (Further Issues 1 § 2.3, ISF Security Audit of Networks)
  • Security-related event logs should be reviewed regularly (e.g., to help identify suspicious activity or unauthorised activity). (CF.10.04.09a, The Standard of Good Practice for Information Security)
  • The performance of business applications, Information Systems, and networks should be monitored by reviewing event logs of system and network activity regularly (e.g., to help identify suspicious or unauthorised activity). (CF.10.05.01d, The Standard of Good Practice for Information Security)
  • System / network monitoring activities should be conducted regularly. (CF.10.05.05, The Standard of Good Practice for Information Security)
  • The results of monitoring activities should be reviewed by the owners of business applications, Information Systems, and networks. (CF.10.05.09-1, The Standard of Good Practice for Information Security)
  • The integrity of information processed by business applications should be maintained by ensuring that changes to key 'static' business information such as customer master files or currency exchange rates are reviewed (e.g., by inspecting the contents of records before and after they have been change… (CF.04.03.02c, The Standard of Good Practice for Information Security)
  • Servers should be subject to standard security management practices, which includes reviewing them on a regular basis to assess activities performed on the server (e.g., by inspecting logs). (CF.07.02.06f-3, The Standard of Good Practice for Information Security)
  • Voice over Internet Protocol-specific controls should be applied, which includes monitoring Voice over Internet Protocol-related event log files. (CF.09.07.04e, The Standard of Good Practice for Information Security)
  • The performance of business applications, Information Systems, and networks should be monitored by reviewing event logs of system and network activity regularly (e.g., to help identify suspicious or unauthorised activity). (CF.10.05.01d, The Standard of Good Practice for Information Security, 2013)
  • System / network monitoring activities should be conducted regularly. (CF.10.05.05, The Standard of Good Practice for Information Security, 2013)
  • The results of monitoring activities should be reviewed by the owners of business applications, Information Systems, and networks. (CF.10.05.09-1, The Standard of Good Practice for Information Security, 2013)
  • The integrity of information processed by business applications should be maintained by ensuring that changes to key 'static' business information such as customer master files or currency exchange rates are reviewed (e.g., by inspecting the contents of records before and after they have been change… (CF.04.03.02c, The Standard of Good Practice for Information Security, 2013)
  • Voice over Internet Protocol-specific controls should be applied, which includes monitoring Voice over Internet Protocol-related event log files. (CF.09.07.04e, The Standard of Good Practice for Information Security, 2013)
  • Security-related event logs should be reviewed regularly (e.g., to help identify suspicious activity or unauthorised activity). (CF.10.04.10a, The Standard of Good Practice for Information Security, 2013)
  • System logs must not just be collected, they also must be read. Audit tools for log analysis should be obtained; the process should be automated as much as possible. Network and computer logs should be gathered immediately after a security incident is discovered. Logs and cryptographic file database… (Action 1.8.3, Action 3.5.1, Action 3.5.2, SANS Computer Security Incident Handling, Version 2.3.1)
  • Have security personnel and/or system administrators run biweekly reports that identify anomalies in logs. They should then actively review the anomalies, documenting their findings. (Control 6.4, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • Monitor logs associated with any scanning activity and associated administrator accounts to ensure that this activity is limited to the timeframes of legitimate scans. (Control 4.6, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • The evaluation team must review the archived notifications of the previous 30 scanning cycles to verify that the vulnerability scanning tools successfully completed their regular scans or, if not, a notification was sent stating the scan did not finish. (Control 6 Test, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • System Administrators and/or security personnel should run reports that identify errors in the logs, review the errors, and document the findings on a biweekly basis. (Critical Control 14.7, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The evaluation team must periodically review security logs of at least 2 routers, 2 switches, 2 firewalls, 10 servers, and 10 client systems to determine if traffic sent by the team is logged. (Control 14 Test, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The system should automatically create a daily report that includes a list of disabled accounts, accounts with passwords that do not expire, locked-out accounts, and accounts that have passwords that exceed the maximum password age, and send it to the System Administrator in a secure way. (Critical Control 16.3, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The organization should monitor the logs associated with administrative accounts and scanning to verify that the use of a privileged account for these activities only occur during legitimate scans. (Critical Control 4.6, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • Monitor security audit logs to detect activity outside of typical or expected patterns. Establish and follow a defined process to review and take appropriate and timely actions on detected anomalies. (LOG-05, Cloud Controls Matrix, v4.0)
  • Mechanisms shall be put in place to monitor and quantify the types, volumes, and costs of information security incidents. (IS-25, The Cloud Security Alliance Controls Matrix, Version 1.3)
  • Audit logs shall be reviewed at least daily and file integrity (host) and Network Intrusion Detection (ids) tools implemented to help facilitate timely detection, investigation by root cause analysis and response to incidents. (SA-14, The Cloud Security Alliance Controls Matrix, Version 1.3)
  • On a regular basis, review logs to identify anomalies or abnormal events. (CIS Control 6: Sub-Control 6.7 Regularly Review Logs, CIS Controls, 7.1)
  • On a regular basis, review logs to identify anomalies or abnormal events. (CIS Control 6: Sub-Control 6.7 Regularly Review Logs, CIS Controls, V7)
  • Establish and maintain an audit log management process that defines the enterprise's logging requirements. At a minimum, address the collection, review, and retention of audit logs for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that coul… (CIS Control 8: Safeguard 8.1 Establish and Maintain an Audit Log Management Process, CIS Controls, V8)
  • Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential threat. Conduct reviews on a weekly, or more frequent, basis. (CIS Control 8: Safeguard 8.11 Conduct Audit Log Reviews, CIS Controls, V8)
  • Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to update the enterprise's asset inventory. Review and use logs to update the enterprise's asset inventory weekly, or more frequently. (CIS Control 1: Safeguard 1.4 Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory, CIS Controls, V8)
  • The organization should monitor the medical network for reported events. (§ 4.6.1 ¶ 2(e), Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
  • ¶ 8.1.5(6) Operational Issues. An organization should implement safeguards which assure that all procedures maintain the secure, correct and reliable functioning of the IT equipment and related system(s) used. This should be achieved by implementing organizational procedures. Operational safeguards… (¶ 8.1.5(6), ¶ 8.2.2(2)(5), ¶ 9.2 Table Row "Audit Logs", ¶ 10.3.4, ¶ 10.5.1, ISO 13335-4 Information technology - Guidelines for the management of IT Security - Part 4: Selection of safeguards, 2000)
  • Audit Trails. It is important to ensure the effectiveness of network security through detection, investigation and reporting of security incidents. Sufficient audit trail information of error conditions and valid events should be recorded to enable thorough review for suspected, and of actual, incid… (¶ 13.4, ISO 13335-5 Information technology - Guidelines for the management of IT Security - Part 5: Management guidance on network security, 2001)
  • The audit system should be in a form that the authorized user can interpret the information. Authorized users should have the ability to search audit trails based on certain criteria. (§ 8.4, § C.5, ISO 15408-2 Common Criteria for Information Technology Security Evaluation Part 2, 2008)
  • Performance and trend monitoring results shall be recorded and reviewed to identify the causes of errors and opportunities for improvement. (§ 6.1 ¶ 6, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly reviewed. (A.12.4.1 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • System administrator and system operator activities shall be logged and the logs protected and regularly reviewed. (A.12.4.3 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • Some areas that should be monitored include authorized accesses; privileged operations; unauthorized access attempts; system alerts; and changes to system security settings. (§ 10.10.2, ISO 27002 Code of practice for information security management, 2005)
  • The organization shall analyse data and trends on incidents to identify problems. The organization shall undertake root cause analysis and determine potential actions to prevent the occurrence or recurrence of incidents. (§ 8.6.3 ¶ 1, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • System administrator and system operator activities should be logged and the logs protected and regularly reviewed. (§ 12.4.3 Control, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • Event logs recording user activities, exceptions, faults and information security events should be produced, kept and regularly reviewed. (§ 12.4.1 Control, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • review of documented information (including computer logs and configuration data); (§ 6.4.7.2 a), ISO/IEC 27007:2020, Information security, cybersecurity and privacy protection — Guidelines for information security management systems auditing, Third Edition)
  • A process should be put in place to review event logs with a specified, documented periodicity, to identify irregularities and propose remediation efforts. (§ 12.4.1 ¶ 3, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • A process should be put in place to review event logs with a specified, documented periodicity, to identify irregularities and propose remediation efforts. (§ 12.4.1 ¶ 3, ISO/IEC 27018:2019, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors, Second edition)
  • The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures. (CC7.3 ¶ 1, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Detected security events are communicated to and reviewed by the individuals responsible for the management of the security program, and actions are taken, if necessary. (CC7.3 ¶ 3 Bullet 2 Communicates and Reviews Detected Security Events, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The organization's activity logs and other security event logs are reviewed and are retained in a secure manner for an appropriate amount of time. (PR.PT-1.2, CRI Profile, v1.2)
  • Audit/log records are determined, documented, implemented, and reviewed in accordance with policy. (PR.PT-1, CRI Profile, v1.2)
  • The organization's activity logs and other security event logs are reviewed and are retained in a secure manner for an appropriate amount of time. (PR.PT-1.2, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Reviews and analyzes information system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity]; and (AU-6a., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Reviews and analyzes information system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity]; and (AU-6a., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Reviews and analyzes information system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity]; and (AU-6a., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and (AU-7a., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • The organization reviews historic audit logs to determine if a vulnerability identified in the information system has been previously exploited. (RA-5(8) ¶ 1, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Reviews and analyzes information system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity]; and (AU-6a., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and (AU-7a., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The organization adjusts the level of audit review, analysis, and reporting within the information system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information. (AU-6(10) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The organization reviews historic audit logs to determine if a vulnerability identified in the information system has been previously exploited. (RA-5(8) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The organization analyzes outbound communications traffic at the external boundary of the information system (i.e., system perimeter) and at [Assignment: organization-defined interior points within the system (e.g., subsystems, subnetworks)] to detect covert exfiltration of information. (SI-4(18) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • System logs may be scanned for unusual activity. (¶ 3.117 Bullet 2, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • System logs may be scanned for unusual activity that may be indicative of failure in the design or operating effectiveness of controls. (¶ 3.130 ¶ 1 Bullet 2, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Detected security events are communicated to and reviewed by the individuals responsible for the management of the security program and actions are taken, if necessary. (CC7.3 Communicates and Reviews Detected Security Events, Trust Services Criteria)
  • The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures. (CC7.3, Trust Services Criteria)
  • The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures. (CC7.3 ¶ 1, Trust Services Criteria, (includes March 2020 updates))
  • Detected security events are communicated to and reviewed by the individuals responsible for the management of the security program and actions are taken, if necessary. (CC7.3 ¶ 2 Bullet 2 Communicates and Reviews Detected Security Events, Trust Services Criteria, (includes March 2020 updates))
  • Review a summarization or sampling of logged events as determined by the Responsible Entity at intervals no greater than 15 calendar days to identify undetected Cyber Security Incidents. (CIP-007-6 Table R4 Part 4.4 Requirements ¶ 1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - System Security Management CIP-007-6, Version 6)
  • On UNIX computers or Linux computers that transmit scoped data, are logs regularly reviewed using a specific methodology to uncover potential incidents? (§ G.16.7, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On UNIX computers or Linux computers that store scoped data, are logs regularly reviewed using a specific methodology to uncover potential incidents? (§ G.16.7, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On UNIX computers or Linux computers that process scoped data, are logs regularly reviewed using a specific methodology to uncover potential incidents? (§ G.16.7, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On windows systems that transmit scoped data, are logs regularly reviewed using a specific methodology to uncover potential incidents? (§ G.17.4, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On windows systems that process scoped data, are logs regularly reviewed using a specific methodology to uncover potential incidents? (§ G.17.4, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On windows systems that store scoped data, are logs regularly reviewed using a specific methodology to uncover potential incidents? (§ G.17.4, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On mainframes that transmit scoped data, are logs regularly reviewed using a specific methodology to uncover potential incidents? (§ G.18.7, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On mainframes that process scoped data, are logs regularly reviewed using a specific methodology to uncover potential incidents? (§ G.18.7, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On mainframes that store scoped data, are logs regularly reviewed using a specific methodology to uncover potential incidents? (§ G.18.7, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On as400 systems that transmit scoped data, are logs regularly reviewed using a specific methodology to uncover potential incidents? (§ G.19.5, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On as400 systems that process scoped data, are logs regularly reviewed using a specific methodology to uncover potential incidents? (§ G.19.5, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On as400 systems that store scoped data, are logs regularly reviewed using a specific methodology to uncover potential incidents? (§ G.19.5, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On open vms (vax or alpha) systems that transmit scoped data, are logs regularly reviewed using a specific methodology to uncover potential incidents? (§ G.20.2, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On open vms (vax or alpha) systems that process scoped data, are logs regularly reviewed using a specific methodology to uncover potential incidents? (§ G.20.2, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On open vms (vax or alpha) systems that store scoped data, are logs regularly reviewed using a specific methodology to uncover potential incidents? (§ G.20.2, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • When desktop computers are used to transmit scoped systems and data, is the user of a system also responsible for reviewing its security audit logs? (§ G.22.4, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • When desktop computers are used to process scoped systems and data, is the user of a system also responsible for reviewing its security audit logs? (§ G.22.4, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • When desktop computers are used to store scoped systems and data, is the user of a system also responsible for reviewing its security audit logs? (§ G.22.4, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Are firewall rules regularly reviewed? (§ G.11.16, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Are the results of the vulnerability assessments reviewed either regularly or just after the assessment is conducted? (§ G.10.2.1, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Are the results of the vulnerability scans reviewed either regularly or just after the Scan is conducted? (§ G.10.2.1, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Are the results of the vulnerability assessments reviewed either regularly or just after the assessment is conducted? (§ G.10.3.1, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Are the results of the vulnerability scans reviewed either regularly or just after the Scan is conducted? (§ G.10.3.1, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Are the results of the penetration tests reviewed just after the test is conducted? (§ G.10.4.1, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Are the results of the penetration tests reviewed just after the test is conducted? (§ G.10.5.1, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • For cloud computing services that use a hypervisor to transmit, process, or store scoped data, are logs regularly reviewed using a specific methodology to uncover potential incidents? (§ V.1.72.5, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Audit trails should be reviewed daily, but at a minimum of once a week. (§ 2-3.a(1), Army Regulation 380-19: Information Systems Security, February 27, 1998)
  • CSR 1.6.1(4): The organization must implement procedures for regularly reviewing information security activity records, such as security incident tracking reports. CSR 2.1.12: The organization must use automated utilities to review audit logs on a daily basis for unexpected, unusual, or suspicious … (CSR 1.6.1(4), CSR 2.1.12, CSR 3.1.3, CSR 3.4.1, CSR 4.2.2, CSR 7.3.6, CSR 10.2.3, CSR 10.10.5(10), Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Audit trails can show if the system is being compromised or malicious users are trying to cause damage to the system. The information assurance officer should review the audit trails and system logs on a daily basis. They should be looking for the following information: excessive logon attempt failu… (§ 3.16.1, Defense Information Systems Agency UNIX Security Technical Implementation Guide Version 5 Release 1, Version 5, Release 1)
  • Remote users must review the firewall log on a daily basis; any unusual events or suspicious activity must be reported to the security officer immediately. Audit logs must be reviewed by the organization on a daily basis. (§ 5.2, § 6.2.1, DISA Secure Remote Computing Security Technical Implementation Guide, Version 1 Release 2)
  • The audit logs should be reviewed regularly to identify possible security breaches. (§ 3.8, DISA Windows Server 2003 Security Checklist, Version 6 Release 1.11)
  • The site should have a policy to define the procedures for reviewing audit logs. The audit logs should be reviewed on a regular basis to prevent potential security breaches and weaknesses. (§ 3.1 (1.029), DISA Windows VISTA Security Checklist, Version 6 Release 1.11)
  • Audit logs should be reviewed on a regular basis. This review should be conducted to identify any security breaches or weaknesses in the system. (§ 3.8, DISA Windows XP Security Checklist, Version 6 Release 1.11)
  • § 3.2.6.1.1 (MED0160: CAT III) The Information Assurance Officer will document and review automated scan exceptions regularly. § 4.5.2 (MED0300: CAT III) The Information Assurance Officer/Network Security Officer, to determine if attacks or inappropriate activity has occurred, will ensure that med… (§ 3.2.6.1.1 (MED0160: CAT III), § 4.5.2 (MED0300: CAT III), Medical Devices Security Technical Implementation Guide, Version 1, Release 1)
  • Regular review MFD and print spooler audit logs. (MFD06.006, Multi-Function Device (MFD) and Printer Checklist for Sharing Peripherals Across the Network Security Technical Implementation Guide, Version 1 Release 1.3)
  • Review audit logs. (AU.2.044, Cybersecurity Maturity Model Certification, Version 1.0, Level 2)
  • Review audit logs. (AU.2.044, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
  • Review audit logs. (AU.2.044, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Review audit logs. (AU.2.044, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • The Records Management Application, in conjunction with the operating system environment, shall provide audit analysis functionality, so an authorized individual can set up a report to facilitate the reconstruction, review, and examination of events leading to or surrounding the possible compromise … (§ C2.2.8.3.2, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
  • The audit trail records must be regularly reviewed to determine if there is any indication of unusual activity or inappropriate activity. (ECAT-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • Audit tools must be available for reviewing audit records and for performing audit record report generation. (ECRG-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • The transaction log must be periodically reviewed or immediately reviewed when a system security event occurs. (ECCD-2, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • The system must record a complete audit trail for each remote session. (EBRP-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • Audit trails must be reviewed at least weekly. (§ 8-602.a, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
  • Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. (§ 164.308(a)(1)(ii)(D), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • Information system activity review (Required). Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. (§ 164.308(a)(1)(ii)(D), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • Management shall designate an individual to review and analyze the audit records for indications of unusual activity or inappropriate activity, investigate violations, report findings to appropriate officials, and take the necessary corrective actions. (§ 5.4.3, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The audit log shall be reviewed and analyzed at least once a week. (§ 5.4.3, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The agency shall enable logging on wireless devices and review the logs at least monthly. (§ 5.5.7.1(13), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The responsible management official shall designate an individual or position to review/analyze information system audit records for indications of inappropriate or unusual activity, investigate suspicious activity or suspected violations, to report findings to appropriate officials, and to take nec… (§ 5.4.3 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Review intrusion detection or prevention logs weekly or implement automated event notification. (§ 5.10.1.3 ¶ 3(5), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Enable logging (if supported) and review the logs on a recurring basis per local policy. At a minimum logs shall be reviewed monthly. (§ 5.13.1.1 ¶ 2(14), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Review intrusion detection or prevention logs weekly or implement automated event notification. (§ 5.10.1.3 ¶ 3 5., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Enable logging (if supported) and review the logs on a recurring basis per local policy. At a minimum logs shall be reviewed monthly. (§ 5.13.1.1 ¶ 2 14., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • The responsible management official shall designate an individual or position to review/analyze information system audit records for indications of inappropriate or unusual activity, investigate suspicious activity or suspected violations, to report findings to appropriate officials, and to take nec… (§ 5.4.3 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Audit log records and other security event logs are reviewed and retained in a secure manner. (Domain 2: Assessment Factor: Monitoring and Analyzing, MONITORING AND ANALYZING Baseline 1 ¶ 1, FFIEC Cybersecurity Assessment Tool, Baseline, May 2017)
  • Configures and reviews audit logs. (App A Objective 3:7f, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Regularly monitors database activity logs. (App A Objective 3:7g, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Response time for log review. (App A Objective 15:7b Bullet 4, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Safeguards systems against security threats and employs IAM, configuration management, and log monitoring. (App A Objective 13:6c Bullet 2, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Filters and reviews logs for potential security events and provides adequate reports and alerts. (App A Objective 6.21.f, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Processes to effectively collect, aggregate, analyze, and correlate security event information from discrete systems and applications. (App A Objective 6.35.d, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Independent review of logging practices. (App A Objective 6.35.c, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Audit logs and intrusion detection systems reports should be reviewed regularly. (Pg 29, Obj 1.5, Obj 4.3, FFIEC IT Examination Handbook - E-Banking, August 2003)
  • The organization should review System and Security Administrator activity audit trails and logs. (Pg 31, Pg 32, FFIEC IT Examination Handbook - Management)
  • Pg 24, Exam Tier I Obj 2.3 Database administrators should monitor the performance of the database for changes in normal activities. Pg 34, Exam Tier II Obj B.1 Logs should be reviewed periodically to ensure they are complete and have not been deleted, overwritten, modified, or compromised. (Pg 24, Exam Tier I Obj 2.3, Pg 34, Exam Tier II Obj B.1, FFIEC IT Examination Handbook - Operations, July 2004)
  • Ascertain whether the financial institution records transfer requests in a log or another bank record prior to execution. ▪ Review the logs to determine if supervisory personnel review the record of transfer requests daily. ▪ Select a sample of the transfer request log entries and compare them t… (Exam Tier II Obj 4.6, FFIEC IT Examination Handbook - Wholesale Payment Systems, July 2004)
  • (§ 420.05, GAO/PCIE Financial Audit Manual (FAM))
  • Reviews and analyzes information system audit records [FedRAMP Assignment: at least weekly] for indications of [Assignment: organization-defined inappropriate or unusual activity]; and (AU-6a. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization adjusts the level of audit review, analysis, and reporting within the information system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information. (AU-6(10) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and (AU-7a. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization reviews historic audit logs to determine if a vulnerability identified in the information system has been previously exploited. (RA-5(8) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization analyzes outbound communications traffic at the external boundary of the information system (i.e., system perimeter) and at [Assignment: organization-defined interior points within the system (e.g., subsystems, subnetworks)] to detect covert exfiltration of information. (SI-4(18) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Reviews and analyzes information system audit records [FedRAMP Assignment: at least weekly] for indications of [Assignment: organization-defined inappropriate or unusual activity]; and (AU-6a. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Reviews and analyzes information system audit records [FedRAMP Assignment: at least weekly] for indications of [Assignment: organization-defined inappropriate or unusual activity]; and (AU-6a. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization reviews historic audit logs to determine if a vulnerability identified in the information system has been previously exploited. (RA-5(8) Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and (AU-7a. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Review historic audit logs to determine if a vulnerability identified in a [Assignment: organization-defined system] has been previously exploited within an [Assignment: organization-defined time period]. (RA-5(8) ¶ 1, FedRAMP Security Controls High Baseline, Version 5)
  • Review and analyze system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity] and the potential impact of the inappropriate or unusual activity; (AU-6a., FedRAMP Security Controls High Baseline, Version 5)
  • Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and (AU-7a., FedRAMP Security Controls High Baseline, Version 5)
  • Analyze outbound communications traffic at external interfaces to the system and at the following interior points to detect covert exfiltration of information: [Assignment: organization-defined interior points within the system]. (SI-4(18) ¶ 1, FedRAMP Security Controls High Baseline, Version 5)
  • Review and analyze system audit records [FedRAMP Assignment: at least weekly] for indications of [Assignment: organization-defined inappropriate or unusual activity] and the potential impact of the inappropriate or unusual activity; (AU-6a., FedRAMP Security Controls Low Baseline, Version 5)
  • Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and (AU-7a., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Analyze outbound communications traffic at external interfaces to the system and at the following interior points to detect covert exfiltration of information: [Assignment: organization-defined interior points within the system]. (SI-4(18) ¶ 1, FedRAMP Security Controls Moderate Baseline, Version 5)
  • Review and analyze system audit records [FedRAMP Assignment: at least weekly] for indications of [Assignment: organization-defined inappropriate or unusual activity] and the potential impact of the inappropriate or unusual activity; (AU-6a., FedRAMP Security Controls Moderate Baseline, Version 5)
  • The organization must routinely review audit logs for unusual or suspicious activities and report any findings to the appropriate officials. The system must have an audit reduction and report generation capability. (§ 5.6.2, Exhibit 4 AU-6, Exhibit 4 AU-7, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Are the audit logs reviewed on a regular basis to determine if the access and use was appropriate? (IT - Authentication Q 9, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Do the digital signature procedures include generating and auditing session reports? (IT - Authentication Q 21b, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Are firewall logs reviewed? (IT - Firewalls Q 17, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Is the firewall log reviewed at least each business day? (IT - Firewalls Q 18, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Is the administrative access log reviewed, printed, and retained by management? (IT - Firewalls Q 39, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Are intrusion detection logs and reports reviewed on a regular basis and any necessary action taken? (IT - IDS IPS Q 21, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Are the administrative logs periodically reviewed by a supervisor? (IT - Member Online Services Q 20, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Does the Credit Union Information Technology policy include monitoring firewall logs and intrusion detection logs? (IT - Policy Checklist Q 6, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Is the router log activity monitored and kept, if the router is maintained by a third party? (IT - Routers Q 10, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Is the router log activity monitored? (IT - Routers Q 30, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Are security incident logs maintained and reviewed? (IT - Security Program Q 6, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Are security monitoring reports generated and reviewed on a regular basis? (IT - Security Program Q 24, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Are security logs, system logs, and server logs reviewed on a regular basis to detect inappropriate activity? (IT - Security Program Q 28, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Is there an assigned reviewer for reviewing the server logs? (IT - Servers Q 15, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Does the Credit Union review the Access Point logs on a regular basis? (IT - WLANS Q 22, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • § 4.1.7 Bullet 1: Implement a procedure to regularly review Information System activity records to include audit logs, access reports, or security incident tracking reports. § 4.1.9 Bullet 1: Implement the necessary review process. (§ 4.1.7 Bullet 1, § 4.1.9 Bullet 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
  • Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and (AU-7a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Review and analyze system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity] and the potential impact of the inappropriate or unusual activity; (AU-6a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Review and analyze system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity] and the potential impact of the inappropriate or unusual activity; (AU-6a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and (AU-7a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Review and analyze system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity] and the potential impact of the inappropriate or unusual activity; (AU-6a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Review and analyze system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity] and the potential impact of the inappropriate or unusual activity; (AU-6a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Review and analyze system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity] and the potential impact of the inappropriate or unusual activity; (AU-6a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Review and analyze system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity] and the potential impact of the inappropriate or unusual activity; (AU-6a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Audit logs should be reviewed frequently. (Table 8-5 Item 49, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST SP 800-97, February 2007)
  • Calls for Audit and Accountability (AU): Organizations must: (i) create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity; and (ii) ensure… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • Audit/log records are determined, documented, implemented, and reviewed in accordance with policy (PR.PT-1, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
  • Detected events are analyzed to understand attack targets and methods (DE.AE-2, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
  • Audit/log records are determined, documented, implemented, and reviewed in accordance with policy (PR.PT-1, Framework for Improving Critical Infrastructure Cybersecurity, v1.1 (Draft))
  • Detected events are analyzed to understand attack targets and methods (DE.AE-2, Framework for Improving Critical Infrastructure Cybersecurity, v1.1 (Draft))
  • Audit/log records are determined, documented, implemented, and reviewed in accordance with policy. (PR.PT-1, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0)
  • (§ 3.13.3, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996)
  • AU-6, AU-6.2 Organizational records and documents should be examined to ensure audit trails are reviewed and analyzed regularly, audit monitoring, analysis, and reporting is conducted on a routine basis, and specific responsibilities and actions are defined for the implementation of the audit monito… (AU-6, AU-6.2, SI-4, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • Reviews and analyzes information system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity]; and (AU-6a. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Reviews and analyzes information system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity]; and (AU-6a. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Reviews and analyzes information system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity]; and (AU-6a. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and (AU-7a. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and (AU-7a. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Conduct analysis of log files, evidence, and other information to determine best methods for identifying the perpetrator(s) of a network intrusion. (T0027, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Perform analysis of log files from a variety of sources (e.g., individual host logs, network traffic logs, firewall logs, and intrusion detection system [IDS] logs) to identify possible threats to network security. (T0161, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Provide daily summary reports of network events and activity relevant to cyber defense practices. (T0198, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Perform initial, forensically sound collection of images and inspect to discern possible mitigation/remediation on enterprise systems. (T0170, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Conduct research, analysis, and correlation across a wide variety of all source data sets (indications and warnings). (T0294, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Analyze incident data for emerging trends. (T0308, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Analyze and report organizational security posture trends. (T0469, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Validate intrusion detection system (IDS) alerts against network traffic using packet analysis tools. (T0295, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Identify security issues around steady state operation and management of software and incorporate security measures that must be taken when a product reaches its end of life. (T0118, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Perform cyber defense trend analysis and reporting. (T0164, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Conduct analysis of log files, evidence, and other information to determine best methods for identifying the perpetrator(s) of a network intrusion or other crimes. (T0433, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Analyze and report system security posture trends. (T0470, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Evaluate and interpret metadata to look for patterns, anomalies, or events, thereby optimizing targeting, analysis and processing. (T0844, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Review findings from the continuous monitoring program and mitigate risks on a timely basis. (T1007, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Audit/log records are determined, documented, implemented, and reviewed in accordance with policy and incorporating the principle of data minimization. (CT.DM-P8, NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • The organization may regularly review and analyze audit records for unusual activity or inappropriate activity that affects Personally Identifiable Information, investigate suspected violations or suspicious activity, report the findings to the appropriate personnel, and take any necessary actions. (§ 4.3 Bullet Audit Review, Analysis, and Reporting (AU-6), NIST SP 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII))
  • The organization must review and analyze the audit records on a defined frequency and report the findings to management. (SG.AU-6 Requirement 1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should integrate the audit record analysis with performance analysis and network monitoring to enhance the discovery of inappropriate activity or unusual activity. (SG.AU-6 Additional Considerations A4, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should review the records of all configuration changes to the system. (SG.CM-5 Requirement 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should conduct audits of system changes at a predefined frequency and when a suspected unauthorized change has occurred. (SG.CM-5 Requirement 4, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • Designated officials in the organization must review the access logs after closeout and on a defined frequency. (SG.PE-6 Requirement, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must review and analyze audit records for inappropriate or unusual activity on a predetermined frequency. (App F § AU-6, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must review the physical access logs on a predefined frequency. (App F § PE-6.b, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should review historic audit logs to determine if any identified vulnerabilities have been previously exploited. (App F § RA-5(8), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should analyze the system's communications traffic and event patterns. (App F § SI-4(13)(a), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should develop profiles for common traffic patterns and events. (App F § SI-4(13)(b), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should correlate the monitoring tool information to achieve organization-wide situational awareness. (App F § SI-4(16), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should correlate the monitoring results from physical activities, cyber activities, and supply chain activities to achieve integrated situational awareness. (App F § SI-4(17), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Perform analysis of log files from a variety of sources (e.g., individual host logs, network traffic logs, firewall logs, and intrusion detection system [IDS] logs) to identify possible threats to network security. (T0161, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Conduct analysis of log files, evidence, and other information to determine best methods for identifying the perpetrator(s) of a network intrusion. (T0027, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Conduct analysis of log files, evidence, and other information to determine best methods for identifying the perpetrator(s) of a network intrusion or other crimes. (T0433, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Review findings from the continuous monitoring program and mitigate risks on a timely basis. (T1007, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Validate intrusion detection system (IDS) alerts against network traffic using packet analysis tools. (T0295, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization reviews and analyzes information system audit records {organizationally documented frequency} for indications of {organizationally documented inappropriate or unusual activity}. (AU-6a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization adjusts the level of audit review, analysis, and reporting within the information system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information. (AU-6(10), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization reviews historic audit logs to determine if a vulnerability identified in the information system has been previously exploited. (RA-5(8), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization analyzes communications traffic/event patterns for the information system. (SI-4(13)(a), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops profiles representing common traffic patterns and/or events. (SI-4(13)(b), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization correlates information from monitoring tools employed throughout the information system. (SI-4(16), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization correlates information from monitoring physical, cyber, and supply chain activities to achieve integrated, organization-wide situational awareness. (SI-4(17), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization analyzes outbound communications traffic at the external boundary of the information system (i.e., system perimeter) and at {organizationally documented interior points within the system (e.g., subsystems, subnetworks)} to detect covert exfiltration of information. (SI-4(18), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization reviews and analyzes information system audit records {organizationally documented frequency} for indications of {organizationally documented inappropriate or unusual activity}. (AU-6a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and analyzes information system audit records {organizationally documented frequency} for indications of {organizationally documented inappropriate or unusual activity}. (AU-6a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and analyzes information system audit records {organizationally documented frequency} for indications of {organizationally documented inappropriate or unusual activity}. (AU-6a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Reviews and analyzes information system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity]; and (AU-6a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and (AU-7a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Reviews and analyzes information system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity]; and (AU-6a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Reviews and analyzes information system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity]; and (AU-6a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and (AU-7a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • The organization adjusts the level of audit review, analysis, and reporting within the information system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information. (AU-6(10) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and (AU-7a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization reviews historic audit logs to determine if a vulnerability identified in the information system has been previously exploited. (RA-5(8) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization analyzes outbound communications traffic at the external boundary of the information system (i.e., system perimeter) and at [Assignment: organization-defined interior points within the system (e.g., subsystems, subnetworks)] to detect covert exfiltration of information. (SI-4(18) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Reviews and analyzes information system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity]; and (AU-6a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Analyzes communications traffic/event patterns for the information system; (SI-4(13)(a), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Uses the traffic/event profiles in tuning system-monitoring devices to reduce the number of false positives and the number of false negatives. (SI-4(13)(c), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Review historic audit logs to determine if a vulnerability identified in a [Assignment: organization-defined system] has been previously exploited within an [Assignment: organization-defined time period]. (RA-5(8) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Review and analyze system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity] and the potential impact of the inappropriate or unusual activity; (AU-6a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and (AU-7a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Analyze communications traffic and event patterns for the system; (SI-4(13)(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Analyze outbound communications traffic at external interfaces to the system and at the following interior points to detect covert exfiltration of information: [Assignment: organization-defined interior points within the system]. (SI-4(18) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Review historic audit logs to determine if a vulnerability identified in a [Assignment: organization-defined system] has been previously exploited within an [Assignment: organization-defined time period]. (RA-5(8) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Review and analyze system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity] and the potential impact of the inappropriate or unusual activity; (AU-6a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and (AU-7a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Analyze communications traffic and event patterns for the system; (SI-4(13)(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Analyze outbound communications traffic at external interfaces to the system and at the following interior points to detect covert exfiltration of information: [Assignment: organization-defined interior points within the system]. (SI-4(18) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Reviews and analyzes information system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity]; and (AU-6a., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • The organization's management should develop activities for monitoring the system to ensure it is meeting the objectives of the organization. (Pg 3, Implementation Guide for OMB Circular A-123 Management's Responsibility for Internal Control)
  • Implement processes to generate alerts and log cybersecurity events in response to anomalous activity. Review the logs and respond to alerts in a timely manner. (Table 2: Anomalies and Events Baseline Security Measures Cell 1, Pipeline Security Guidelines)
  • Reviews and analyzes information system audit records [TX-RAMP Assignment: at least weekly] for indications of [Assignment: organization-defined inappropriate or unusual activity]; and (AU-6a., TX-RAMP Security Controls Baseline Level 1)
  • Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and (AU-7a., TX-RAMP Security Controls Baseline Level 2)
  • The organization reviews historic audit logs to determine if a vulnerability identified in the information system has been previously exploited. (RA-5(8) ¶ 1, TX-RAMP Security Controls Baseline Level 2)
  • Reviews and analyzes information system audit records [TX-RAMP Assignment: at least weekly] for indications of [Assignment: organization-defined inappropriate or unusual activity]; and (AU-6a., TX-RAMP Security Controls Baseline Level 2)