Review audit logs and IDS reports regularly

Status: Live

The organization will implement procedures to regularly review records of information system activity, such as audit logs, IDS reports, access reports, and security incident tracking reports. [UCF ID 00596]

Supporting and supported controls

This control directly supports:

There are no supporting controls.

Authority documents complied with:

AICPA Suitable Trust Services Principles and Criteria, ¶ .17 § 4.2, ¶ .20 § 4.2, ¶ .24 § 4.2, ¶ .29 § 4.2; FFIEC IT Examination Handbook – E-Banking, August 2003, Pg 29, Obj 1.5, Obj 4.3; FFIEC IT Examination Handbook – Management, Pg 31, Pg 32; FFIEC IT Examination Handbook – Operations, July 2004, Pg 34, Exam Tier II Obj B.1; FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004, Exam Tier II Obj 4.6; CMS Core Security Requirements (CSR), Draft, § 1.2.1, § 1.6.1, § 2.1.6, § 4.2.4; Health Insurance Portability and Accountability Act of 1996 (HIPAA), § 164.308(a)(1)(ii)(D); North American Electric Reliability Corporation Critical Infrastructure Protection Cyber Security Standards, CIP-007-1 R6.5; MasterCard Electronic Commerce Security Architecture Best Practices, April 2003, § 3-4; Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2, § 10.6; Army Regulation 380-19: Information Systems Security, February 27, 1998, § 2-3.a(1); Protection of Assets Manual, ASIS International, Pg 12-IV-4; NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006, § 8-602.a; FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006, § 3; IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information, § 5.6.2, Exhibit 4 AU-6, Exhibit 4 AU-7; Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996, § 3.13.3; Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 2, AU-6 thru AU-6(2); Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, AU-6, AU-6.2; ISF Security Audit of Networks, Further Issues 1 § 2.3; The Standard of Good Practice for Information Security, CB2.2.7, CB3.1.7(a), CI2.2.8, NW2.1.5; Defense Information Systems Agency UNIX Security Technical Implementation Guide Version 5 Release 1, Version 5, Release 1, § 3.16.1; DISA Secure Remote Computing Security Technical Implementation Guide version 1.2, Version 1, Release 2, § 5.2, § 6.2.1; ISO/IEC 15408-2:2008 Common Criteria for Information Technology Security Evaluation Part 2, 2008, § 8.4, § C.5; ISO 17799:2005 Code of Practice for Information Security Management, § 10.10.2; ISO 27001:2005, Information Security Management Systems - Requirements, § 4.2.3(b); ISO/IEC 27002-2005 Code of practice for information security management, § 10.10.2; Australian Government ICT Security Manual (ACSI 33), § 3.7.28; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2, § 10.6; Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST Special Publication 800-97, February 2007, Table 8-5 Item 49; Archer Control Table, ATCS-180, ATCS-181, ATCS-229, ATCS-333, ATCS-335, ATCS-336, ATCS-351, ATCS-381; Mac OS X Security Configuration for version 10.4 or later, second edition, Second Edition, Pg 132, Pg 134; DISA Windows Server 2003 Security Checklist Version 6 Release 1.11, Version 6 Release 1.11, § 3.8; DISA Windows XP Security Checklist, Version 6 Release 1.11, § 3.8; DISA Windows VISTA Security Checklist, Version 6 Release 1.11, § 3.1 (1.029); Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), NIST SP 800-122, DRAFT, § 4.3 (AU-6); Multi-Function Device (MFD)and Printer Checklist for Sharing Peripherals Across the Network Security Technical Implementation Guide, Version 1 Release 1.3, MFD06.006; Payment Card Industry (PCI) Information Supplement: PCI DSS Wireless Guideline, Version 1.2, July 2009, § 3.3.1.C

Sarbanes Oxley Guidance

The system logs should be reviewed periodically to identify and correct any problems that may prevent the system from operating in accordance with the security policy, system availability policy, system processing integrity policy, and system confidentiality policy. [¶ .17 § 4.2, ¶ .20 § 4.2, ¶ .24 § 4.2, ¶ .29 § 4.2, AICPA Suitable Trust Services Principles and Criteria]

Banking and Finance Guidance

Audit logs and intrusion detection systems reports should be reviewed regularly. [Pg 29, Obj 1.5, Obj 4.3, FFIEC IT Examination Handbook – E-Banking, August 2003]

The organization should review System and Security Administrator activity audit trails and logs. [Pg 31, Pg 32, FFIEC IT Examination Handbook – Management]

Logs should be reviewed periodically to ensure they are complete and have not been deleted, overwritten, modified, or compromised. [Pg 34, Exam Tier II Obj B.1, FFIEC IT Examination Handbook – Operations, July 2004]

[Exam Tier II Obj 4.6, FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004]

Healthcare and Life Science Guidance

[§ 1.2.1, § 1.6.1, § 2.1.6, § 4.2.4, CMS Core Security Requirements (CSR), Draft]

[§ 164.308(a)(1)(ii)(D), Health Insurance Portability and Accountability Act of 1996 (HIPAA)]

Energy Guidance

The Responsible Entity shall review logs of system events related to cyber security and maintain records documenting review of logs. [CIP-007-1 R6.5, North American Electric Reliability Corporation Critical Infrastructure Protection Cyber Security Standards]

Payment Card Guidance

Review firewall logs regularly. [§ 3-4, MasterCard Electronic Commerce Security Architecture Best Practices, April 2003]

The organization must ensure all logs are reviewed on a daily basis. Logging tools may be used to meet this requirement.
Verify the security policy and procedures state the audit logs are to be reviewed on a daily basis and any exceptions are handled appropriately.
Interview the System Administrator to ensure they review the audit logs on a daily basis. [§ 10.6, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2]

The organization must ensure all logs are reviewed on a daily basis. Logging tools may be used to meet this requirement. [§ 10.6, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2]

Monitor firewall logs daily for wireless traffic entering the Cardholder Data Environment (CDE). [§ 3.3.1.C, Payment Card Industry (PCI) Information Supplement: PCI DSS Wireless Guideline, Version 1.2, July 2009]

US Federal Security Guidance

Audit trails should be reviewed daily, but at a minimum of once a week. [§ 2-3.a(1), Army Regulation 380-19: Information Systems Security, February 27, 1998]

Audit trails should be reviewed for suspicious activity by independent audit groups on an irregular interval. [Pg 12-IV-4, Protection of Assets Manual, ASIS International]

Audit trails must be reviewed at least weekly. [§ 8-602.a, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006]

Calls for Audit and Accountability (AU): Organizations must: (i) create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity; and (ii) ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions. [§ 3, FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006]

US Internal Revenue Guidance

The organization must routinely review audit logs for unusual or suspicious activities and report any findings to the appropriate officials. The system must have an audit reduction and report generation capability. [§ 5.6.2, Exhibit 4 AU-6, Exhibit 4 AU-7, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information]

NIST Guidance

[§ 3.13.3, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996]

The organization needs to regularly review/analyze audit records for indications of inappropriate or unusual activity, investigate suspicious activity or suspected violations, report findings to appropriate officials, and take necessary actions.
For high impact systems, this process be automated.
Any automated mechanisms send immediate security alerts when inappropriate or unusual activities with security implications occur. [AU-6 thru AU-6(2), Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 2]

Organizational records and documents should be examined to ensure audit trails are reviewed and analyzed regularly, audit monitoring, analysis, and reporting is conducted on a routine basis, and specific responsibilities and actions are defined for the implementation of the audit monitoring, analysis, and reporting control. Any problems discovered during the implementation of the audit monitoring, analysis, and reporting control should be documented and used to improve the controls. If unusual activity is detected, it should be investigated, reported to appropriate personnel, and appropriate actions should be taken.
Test the system by generating auditable events which cause an audit failure or a suspicious activity condition to monitor how the organization responds and how long it takes them to respond to ensure the organization is analyzing and reviewing the audit trails on a regular basis for suspicious activities.
Interviews should be conducted with personnel involved with the monitoring and analysis of audit reports. [AU-6, AU-6.2, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]

Audit logs should be reviewed frequently. [Table 8-5 Item 49, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST Special Publication 800-97, February 2007]

The organization should regularly review audit records for any indications that Personally Identifiable Information (PII) has been tampered with or accessed inappropriately. [§ 4.3 (AU-6), Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), NIST SP 800-122, DRAFT]

System Configuration Guidance

Audit trails can show if the system is being compromised or malicious users are trying to cause damage to the system. The information assurance officer should review the audit trails and system logs on a daily basis. They should be looking for the following information: excessive logon attempt failures by single or multiple users; logons at unusual/non-duty hours; failed attempts to access restricted system or data files indicating a possible pattern of deliberate browsing; unusual or unauthorized activity by system administrators; command-line activity by a user that should not have that capability; system failures or errors; and unusual or suspicious patterns of activity. [§ 3.16.1, Defense Information Systems Agency UNIX Security Technical Implementation Guide Version 5 Release 1, Version 5, Release 1]

Log files should be viewed on a regular basis. If log files are not reviewed regularly, suspicious activity may go unnoticed. [Pg 132, Pg 134, Mac OS X Security Configuration for version 10.4 or later, second edition, Second Edition]

The audit logs should be reviewed regularly to identify possible security breaches. [§ 3.8, DISA Windows Server 2003 Security Checklist Version 6 Release 1.11, Version 6 Release 1.11]

Audit logs should be reviewed on a regular basis. This review should be conducted to identify any security breaches or weaknesses in the system. [§ 3.8, DISA Windows XP Security Checklist, Version 6 Release 1.11]

The site should have a policy to define the procedures for reviewing audit logs. The audit logs should be reviewed on a regular basis to prevent potential security breaches and weaknesses. [§ 3.1 (1.029), DISA Windows VISTA Security Checklist, Version 6 Release 1.11]

Other Configuration Guidance

Remote users must review the firewall log on a daily basis; any unusual events or suspicious activity must be reported to the security officer immediately. Audit logs must be reviewed by the organization on a daily basis. [§ 5.2, § 6.2.1, DISA Secure Remote Computing Security Technical Implementation Guide version 1.2, Version 1, Release 2]

Regular review of MFD and print spooler audit logs. [MFD06.006, Multi-Function Device (MFD)and Printer Checklist for Sharing Peripherals Across the Network Security Technical Implementation Guide, Version 1 Release 1.3]

ISO Guidance

The audit system should be in a form that the authorized user can interpret the information. Authorized users should have the ability to search audit trails based on certain criteria. [§ 8.4, § C.5, ISO/IEC 15408-2:2008 Common Criteria for Information Technology Security Evaluation Part 2, 2008]

The audit logs should be reviewed regularly. [§ 10.10.2, ISO 17799:2005 Code of Practice for Information Security Management]

The organization should regularly review the results of security events and logs to determine the effectiveness of controls. [§ 4.2.3(b), ISO 27001:2005, Information Security Management Systems - Requirements]

The audit logs should be reviewed regularly. [§ 10.10.2, ISO/IEC 27002-2005 Code of practice for information security management]

General Guidance

[Further Issues 1 § 2.3, ISF Security Audit of Networks]

The application logs should be reviewed regularly by automated tools. Logs should be analyzed to ensure all events are interpreted and responded to. [CB2.2.7, CB3.1.7(a), CI2.2.8, NW2.1.5, The Standard of Good Practice for Information Security]

Asia and Pacific Rim Guidance

A sufficient number of trained personnel should exist to review and analyze the logs for potential violations. [§ 3.7.28, Australian Government ICT Security Manual (ACSI 33)]

Metrics

The metrics associated with this control are as follows:

    Report on the percentage of systems for which event and activity logs are monitored and reviewed in accordance with policy [UCF Control ID 02103]

Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.