Establish monitoring and logging operations for all key systems.

UCF ID: 00637
Control Type: Process or Activity
Status: Live

Supporting and supported controls

This control directly supports:

This control has the following supporting controls:

    Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information. [UCF Control ID 00638]
    Establish and maintain standards and procedures for collecting and interpreting logs. [UCF Control ID 00643]
    Assess system performance regularly. [UCF Control ID 00651]
    Assess customer satisfaction. [UCF Control ID 00652]
    Log and report to management the periodic reviews of compliance checklists, audit reports, sign-off sheets, and others. [UCF Control ID 00653]

Authority documents complied with:

SAS 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, § 314.98, § 314.99; FFIEC IT Examination Handbook – Information Security, Pg 81; FFIEC IT Examination Handbook – Management, Pg 26; FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004, Pg 20, Exam Tier II Obj 12.1; Health Insurance Portability and Accountability Act of 1996 (HIPAA), § 164.308(a)(1)(ii)(D); Introductory Resource Guide for HIPAA NIST SP 800-66, § 4.15; North American Electric Reliability Corporation Critical Infrastructure Protection Cyber Security Standards, CIP-007-1 R6, CIP-007-1 R6.1; Corporate Information Security Working Group: Report of the best practices and metrics teams; subcommittee on technology, information policy, intergovernmental relations and the census; Government Reform Committee, United States House of Representatives, § 15.e; FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006, § 3; GAO/PCIE Financial Audit Manual (FAM), § 260.48; IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information, § 5.6.2, Exhibit 4 AU-1; The DIRKS Manual: A Strategic Approach to Managing Business Information, rev. July 2003, § G.4.1.5; Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3, § 3.4, App F § AU-2; Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, AU-2, AU-2.2, CM-5(1), CM-5.8; CobiT, Version 4.1, ME1.1; The Standard of Good Practice for Information Security, SM6.5.3(c), SM7.1.3(c), CB2.1.3(c), CB5.4.5(c), CI2.2.1, CI5.5.5(c), NW1.1.5, NW4.5.5(c), SD2.3.5(c), UE1.1.3(c); ISO/IEC 17799 Code of Practice for Information Security Management, 2005, § 10.6.1, § 10.10.1, § 10.10.2; ISO/IEC 27001 Information Security Management Systems - Requirements, 2005, Annex A.10.10.2; ISO/IEC 27002 Code of practice for information security management, 2005, § 10.6.1, § 10.10.1, § 10.10.2; OECD / World Bank Technology Risk Checklist, Version 7.3, § I.14; Turnbull Guidance on Internal Control, UK FRC, October 2005, ¶ 27; Australian Government ICT Security Manual (ACSI 33), § 2.8.17, § 3.5.47, § 3.7.12, § 3.7.26; Massachusetts 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth of Massachusetts, § 17.03(3)10, § 17.04(4); BIS Sound Practices for the Management and Supervision of Operational Risk, ¶ 26, Principle 5; The King Committee on Corporate Governance, Executive Summary of the King Report 2002, March 2002, ¶ 3.2.4; Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST SP 800-97, February 2007, Table 8-2 Item 17; Center for Internet Security Mac OS X Tiger Level I Security Benchmark, Version 1.0 May 2008, § 2.11; Center for Internet Security Open Enterprise Server: NetWare (v1) Consensus Baseline Security Settings, Version 1.0 August 2006, § 3.6; Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1, § 4.2; Multi-Function Device (MFD) and Printer Checklist for Sharing Peripherals Across the Network Security Technical Implementation Guide, Version 1 Release 1.3, MFD06.006; Payment Card Industry (PCI) Information Supplement: PCI DSS Wireless Guideline, Version 1.2, July 2009, § 4.3.1.A, § 4.3.1.F; ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008, § 6.14.10, § 7.5.6; ISO/IEC 13335-3 Information technology — Guidelines for the management of IT Security — Part 3: Techniques for the management of IT Security, 1998, ¶ 11.1

Sarbanes Oxley Guidance

The organization should maintain monitoring on an ongoing basis, including ensuring the controls are functioning as intended and modified when there are changes to the system. The monitoring activities are accomplished through ongoing activities and separate evaluations. [§ 314.98, § 314.99, SAS 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement]

Banking and Finance Guidance

The organization's monitoring program should identify control failures, detect an intrusion or security incident, and support forensic activities. [Pg 81, FFIEC IT Examination Handbook – Information Security]

Senior management should oversee and monitor all internal controls. [Pg 26, FFIEC IT Examination Handbook – Management]

The hardware and software should be configured to support effective monitoring. Applications should have the capability to produce audit trails in enough detail to allow analysis and/or investigation of specific transactions. [Pg 20, Exam Tier II Obj 12.1, FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004]

The organization should implement an effective monitoring process. Monitoring should occur on a regular basis. [¶ 26, Principle 5, BIS Sound Practices for the Management and Supervision of Operational Risk]

Healthcare and Life Science Guidance

Procedures to regularly review records of information security activity should be implemented. [§ 164.308(a)(1)(ii)(D), Health Insurance Portability and Accountability Act of 1996 (HIPAA)]

This section discusses how to meet the HIPAA objective of implementing “hardware, software and procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information” by providing a series of key activities to handle. The material is very detailed, and should be reviewed directly. [§ 4.15, Introductory Resource Guide for HIPAA NIST SP 800-66]

Energy Guidance

The Responsible Entity shall ensure that all Cyber Assets within the Electronic Security Perimeter, as technically feasible, implement automated tools or organizational process controls to monitor system events that are related to cyber security. The Responsible Entity shall implement and document the organizational processes and technical and procedural mechanisms for monitoring for security events on all Cyber Assets within the Electronic Security Perimeter. [CIP-007-1 R6, CIP-007-1 R6.1, North American Electric Reliability Corporation Critical Infrastructure Protection Cyber Security Standards]

Payment Card Guidance

Payment activities must have an automated audit trail for tracking and monitoring access to the application. [§ 4.2, Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1]

§ 4.3.1.A Use a centrally controlled wireless Intrusion Detection System/Intrusion Prevention System (IDS/IPS) to monitor for unauthorized access and detect rogues and misconfigured wireless devices.
§ 4.3.1.F Add processes and policies that will regularly read and act on the data provided by the IDS/IPS. [§ 4.3.1.A, § 4.3.1.F, Payment Card Industry (PCI) Information Supplement: PCI DSS Wireless Guideline, Version 1.2, July 2009]

US Federal Security Guidance

The organization must implement and monitor the status of event and activity logging controls. [§ 15.e, Corporate Information Security Working Group: Report of the best practices and metrics teams; subcommittee on technology, information policy, intergovernmental relations and the census; Government Reform Committee, United States House of Representatives]

Calls for Audit and Accountability (AU): Organizations must: (i) create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity; and (ii) ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions. [§ 3, FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006]

Calls for the construction of efficient tests, taking into consideration the nature, timing, and extent of the tests to be performed. [§ 260.48, GAO/PCIE Financial Audit Manual (FAM)]

US Internal Revenue Guidance

The organization must develop, document, distribute, and continuously update an audit and accountability policy and procedures for implementing auditing security controls. [§ 5.6.2, Exhibit 4 AU-1, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information]

Records Management Guidance

Regular monitoring and auditing of the record keeping system to assess its performance is called for. [§ G.4.1.5, The DIRKS Manual: A Strategic Approach to Managing Business Information, rev. July 2003]

NIST Guidance

§ 3.4 The organization must establish a continuously monitoring program which includes assessment of security control effectiveness, ongoing incident event monitoring, implementing corrective actions, and reassessment of security controls.
App F § AU-2 The organization must establish and maintain auditable events policies and procedures that determine events to be audited, coordinate security audits with other system audits, ensure auditable events support subsequent incident investigations, maintain event list based on changes in risk assessment. [§ 3.4, App F § AU-2, Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3]

Organizational records, documents, and the system configuration should be examined to ensure audit records are being generated for all defined events, audit records are generated continuously, and specific responsibilities and actions are defined for the implementation of the auditable events control. Any problems discovered during the implementation of the auditable events control should be documented and used to improve the controls.
Test the system by performing actions that the system is configured to audit to ensure an audit record is generated. Test the system to ensure access restrictions are properly configured and the system audits these actions.
Interviews should be conducted with personnel who configure the auditing parameters and events and with personnel who are involved in the auditing process. [AU-2, AU-2.2, CM-5(1), CM-5.8, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]

The organization should develop wireless security audit procedures and processes that should include the types of security events to capture and how to store the audit records. [Table 8-2 Item 17, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST SP 800-97, February 2007]

US State Laws and Protectorates Guidance

The comprehensive information security program must include monitoring of the program on a regular basis to ensure its operation will prevent unauthorized use of or access to personal information. Anyone who stores, licenses, owns, or maintains personal information about a Massachusetts resident and electronically transmits or stores that information must establish and maintain a security system (which must be included in the comprehensive, written information security program) for all computers and wireless systems and must include system monitoring to detect unauthorized access or use. [§ 17.03(3)10, § 17.04(4), Massachusetts 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth of Massachusetts]

System Configuration Guidance

Logs are a valuable resource when tracking security incidents. Logging should be enabled on all systems. By default, the logs are located in /var/log. The following line should be added to the /etc/syslog.conf file: @your.log.host (your.log.host is the name of the log server) to enable the logging of events. [§ 2.11, Center for Internet Security Mac OS X Tiger Level I Security Benchmark, Version 1.0 May 2008]

The Server Security report and the Server Settings report should be reviewed periodically to monitor the status of the servers. [§ 3.6, Center for Internet Security Open Enterprise Server: NetWare (v1) Consensus Baseline Security Settings, Version 1.0 August 2006]

Other Configuration Guidance

Establish an audit log for MFD and print spoolers. Audit log to contain user, key operator and administrator codes and passwords, and enabled features and services. Any deviation from the baseline should be treated as a potential security incident. Ensure operational security controls are in place to ensure servicing of devices by authorized personnel is in accordance with change and configuration protocols. [MFD06.006, Multi-Function Device (MFD) and Printer Checklist for Sharing Peripherals Across the Network Security Technical Implementation Guide, Version 1 Release 1.3]

ISO Guidance

Appropriate logging and monitoring of the network should be enabled to record all security-relevant events. The audit logs should be kept for a predetermined amount of time. The audit logs should include user IDs; date, time, and detail of the event; terminal identity or location; changes to system configuration; use of privileges; files accessed; use of system applications; network addresses visited and protocols used; and activation and deactivation of protection systems. [§ 10.6.1, § 10.10.1, § 10.10.2, ISO/IEC 17799 Code of Practice for Information Security Management, 2005]

Procedures should be developed for monitoring the information systems. The monitoring results should be reviewed on a regular basis. [Annex A.10.10.2, ISO/IEC 27001 Information Security Management Systems - Requirements, 2005]

Appropriate logging and monitoring of the network should be enabled to record all security-relevant events. The audit logs should be kept for a predetermined amount of time. The audit logs should include user IDs; date, time, and detail of the event; terminal identity or location; changes to system configuration; use of privileges; files accessed; use of system applications; network addresses visited and protocols used; and activation and deactivation of protection systems. [§ 10.6.1, § 10.10.1, § 10.10.2, ISO/IEC 27002 Code of practice for information security management, 2005]

Service providers should ensure equipment and physical facilities are continuously monitored for availability. Outsourced service providers should ensure procedures have been implemented to monitor and log all logical access to computer systems on a 24x7 basis. [§ 6.14.10, § 7.5.6, ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008]

Maintenance. The majority of safeguards will require maintenance and administrative support to ensure their correct and appropriate functioning during their life. These activities (maintenance and administration) should be planned and performed on a regular scheduled basis. In this manner their overhead can be minimized, and the value of the safeguards preserved.
To detect malfunctions, periodic inspection is necessary. A safeguard never checked is of little value as there is no way of knowing what reliance can be placed on it.
Maintenance activities include:
· the checking of log files,
· modifying parameters to reflect changes and additions,
· re-initiation of seed values or counters, and
· updating with new versions.
The cost of maintenance and administration should always be factored in when assessing and selecting between different safeguards. This is because maintenance and administrative costs can differ widely between one safeguard and the next. Hence, this can often become a significant determinant in the selection of safeguards. Generally speaking, it is desirable to minimize the ongoing maintenance and administrative costs wherever possible as they represent recurring costs rather than one time costs. [¶ 11.1, ISO/IEC 13335-3 Information technology — Guidelines for the management of IT Security — Part 3: Techniques for the management of IT Security, 1998]

General Guidance

The organization should ensure that management establishes a general monitoring framework and approach that define the scope, methodology and process to be followed for monitoring IT’s contribution to the results of the enterprise’s portfolio management and program management processes and those processes that are specific to the delivery of IT capability and services. The framework should integrate with the corporate performance management system. [ME1.1, CobiT, Version 4.1]

Documented procedures should be developed for the logging of security events for third party connections, the installation (facility), and systems. The activities of the audit team and individuals running the network should be monitored and logged. Procedures should specify the methods for monitoring key security events. [SM6.5.3(c), SM7.1.3(c), CB2.1.3(c), CB5.4.5(c), CI2.2.1, CI5.5.5(c), NW1.1.5, NW4.5.5(c), SD2.3.5(c), UE1.1.3(c), The Standard of Good Practice for Information Security]

EU Guidance

The OECD Risk Checklist calls for identification, monitoring, measuring, and control of electronic security risks. [§ I.14, OECD / World Bank Technology Risk Checklist, Version 7.3]

UK and Canadian Guidance

[¶ 27, Turnbull Guidance on Internal Control, UK FRC, October 2005]

Other European and African Guidance

The key risks and performance indicators should be monitored regularly to ensure the internal controls are effective. [¶ 3.2.4, The King Committee on Corporate Governance, Executive Summary of the King Report 2002, March 2002]

Asia and Pacific Rim Guidance

The organization should develop, implement, and maintain procedures to detect potential security incidents by implementing auditing on all systems. The auditing requirements should include a list of events to be logged; how to protect the audit log; back-up procedures; the auditing schedule; what actions to take when a violation occurs; who to report findings to; and specific responsibilities for auditing. The e-mail server should be regularly audited to detect potential threats, such as denial of service attacks and using the server as a mail relay. [§ 2.8.17, § 3.5.47, § 3.7.12, § 3.7.26, Australian Government ICT Security Manual (ACSI 33)]


Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.