Establishing overall monitoring and logging operations

Status: Live

The organization will ensure that all key information systems generate audit records for events prescribed by internal and external auditing guidelines. [UCF ID 00637]

Supporting and supported controls

This control directly supports:

This control has the following supporting controls:

Authority documents complied with:

SAS 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, § 314.98, § 314.99; AICPA SAS No. 94, The Effect of Information Technology on the Auditor's Consideration of Internal Controls, § 319.53; FFIEC IT Examination Handbook – Information Security, Pg 81; FFIEC IT Examination Handbook – Management, Pg 26; FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004, Pg 20, Exam Tier II Obj 12.1; Health Insurance Portability and Accountability Act of 1996 (HIPAA), § 164.308(a)(1)(ii)(D); Introductory Resource Guide for HIPAA NIST Special Publication 800-66, § 4.15; North American Electric Reliability Corporation Critical Infrastructure Protection Cyber Security Standards, CIP-007-1 R6, CIP-007-1 R6.1; Corporate Information Security Working Group: Report of the best practices and metrics teams; subcommittee on technology, information policy, intergovernmental relations and the census; Government Reform Committee, United States House of Representatives, § 15.e; Federal Information Security Management Act of 2002 (FISMA), § 3545(a); FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006, § 3; GAO/PCIE Financial Audit Manual (FAM), § 260.48; IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information, § 5.6.2, Exhibit 4 AU-1; The DIRKS Manual: A Strategic Approach to Managing Business Information, rev. July 2003, § G.4.1.5; Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 2, AU-2; Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, AU-2, AU-2.2, CM-5(1), CM-5.8; CobiT 4.1, ME1.1; The Standard of Good Practice for Information Security, SM6.5.3(c), SM7.1.3(c), CB2.1.3(c), CB5.4.5(c), CI2.2.1, CI5.5.5(c), NW1.1.5, NW4.5.5(c), SD2.3.5(c), UE1.1.3(c); ISO 17799:2005 Code of Practice for Information Security Management, § 10.6.1, § 10.10.1, § 10.10.2; ISO 27001:2005, Information Security Management Systems - Requirements, Annex A.10.10.2; ISO/IEC 27002-2005 Code of practice for information security management, § 10.6.1, § 10.10.1, § 10.10.2; OECD / World Bank Technology Risk Checklist, Version 7.3, § I.14; Turnbull Guidance on Internal Control, UK FRC, October 2005, ¶ 27; Australian Government ICT Security Manual (ACSI 33), § 2.8.17, § 3.5.47, § 3.7.12, § 3.7.26; Massachusetts 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth of Massachusetts, § 17.03(3)10, § 17.04(4); BIS Sound Practices for the Management and Supervision of Operational Risk, ¶ 26, Principle 5; The King Committee on Corporate Governance, Executive Summary of the King Report 2002, March 2002, ¶ 3.2.4; Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST Special Publication 800-97, February 2007, Table 8-2 Item 17; Archer Control Table, ATCS-223, ATCS-224, ATCS-668; Center for Internet Security Mac OS X Tiger Level I Security Benchmark, v1.0 May 2008, § 2.11; Center for Internet Security Open Enterprise Server: NetWare (v1) Consensus Baseline Security Settings, v1.0 August 2006, § 3.6; Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1, § 4.2; Multi-Function Device (MFD)and Printer Checklist for Sharing Peripherals Across the Network Security Technical Implementation Guide, Version 1 Release 1.3, MFD06.006; Payment Card Industry (PCI) Information Supplement: PCI DSS Wireless Guideline, Version 1.2, July 2009, § 4.3.1.A, § 4.3.1.F

Sarbanes Oxley Guidance

The organization should maintain monitoring on an ongoing basis, including ensuring the controls are functioning as intended and modified when there are changes to the system. The monitoring activities are accomplished through ongoing activities and separate evaluations. [§ 314.98, § 314.99, SAS 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement]

The organization should maintain monitoring on an ongoing basis, including ensuring the controls are functioning as intended and modified when there are changes to the system. The monitoring activities are accomplished through ongoing activities and separate evaluations. [§ 319.53, AICPA SAS No. 94, The Effect of Information Technology on the Auditor's Consideration of Internal Controls]

Banking and Finance Guidance

The organization's monitoring program should identify control failures, detect an intrusion or security incident, and support forensic activities. [Pg 81, FFIEC IT Examination Handbook – Information Security]

Senior management should oversee and monitor all internal controls. [Pg 26, FFIEC IT Examination Handbook – Management]

The hardware and software should be configured to support effective monitoring. Applications should have the capability to produce audit trails in enough detail to allow analysis and/or investigation of specific transactions. [Pg 20, Exam Tier II Obj 12.1, FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004]

The organization should implement an effective monitoring process. Monitoring should occur on a regular basis. [¶ 26, Principle 5, BIS Sound Practices for the Management and Supervision of Operational Risk]

Healthcare and Life Science Guidance

Procedures to regularly review records of information security activity should be implemented. [§ 164.308(a)(1)(ii)(D), Health Insurance Portability and Accountability Act of 1996 (HIPAA)]

This section discusses how to meet the HIPAA objective of implementing “hardware, software and procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information” by providing a series of key activities to handle. The material is very detailed, and should be reviewed directly. [§ 4.15, Introductory Resource Guide for HIPAA NIST Special Publication 800-66]

Energy Guidance

The Responsible Entity shall ensure that all Cyber Assets within the Electronic Security Perimeter, as technically feasible, implement automated tools or organizational process controls to monitor system events that are related to cyber security. The Responsible Entity shall implement and document the organizational processes and technical and procedural mechanisms for monitoring for security events on all Cyber Assets within the Electronic Security Perimeter. [CIP-007-1 R6, CIP-007-1 R6.1, North American Electric Reliability Corporation Critical Infrastructure Protection Cyber Security Standards]

Payment Card Guidance

Payment activities must have an automated audit trail for tracking and monitoring access to the application. [§ 4.2, Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1]

§ 4.3.1.A Use a centrally controlled wireless Intrusion Detection System/Intrusion Prevention System (IDS/IPS) to monitor for unauthorized access and detect rogues and misconfigured wireless devices.
§ 4.3.1.F Add processes and policies that will regularly read and act on the data provided by the IDS/IPS. [§ 4.3.1.A, § 4.3.1.F, Payment Card Industry (PCI) Information Supplement: PCI DSS Wireless Guideline, Version 1.2, July 2009]

US Federal Security Guidance

The organization must implement and monitor the status of event and activity logging controls. [§ 15.e, Corporate Information Security Working Group: Report of the best practices and metrics teams; subcommittee on technology, information policy, intergovernmental relations and the census; Government Reform Committee, United States House of Representatives]

The organization must perform an annual independent evaluation testing the effectiveness of information security policies, procedures, and practices. [§ 3545(a), Federal Information Security Management Act of 2002 (FISMA)]

Calls for Audit and Accountability (AU): Organizations must: (i) create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity; and (ii) ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions. [§ 3, FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006]

Calls for the construction of efficient tests, taking into consideration the nature, timing, and extent of the tests to be performed. [§ 260.48, GAO/PCIE Financial Audit Manual (FAM)]

US Internal Revenue Guidance

The organization must develop, document, distribute, and continuously update an audit and accountability policy and procedures for implementing auditing security controls. [§ 5.6.2, Exhibit 4 AU-1, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information]

Records Management Guidance

Regular monitoring and auditing of the record keeping system to assess its performance is called for. [§ G.4.1.5, The DIRKS Manual: A Strategic Approach to Managing Business Information, rev. July 2003]

NIST Guidance

The organization needs to specify which information system components carry out auditing activities. Auditing activity can affect information system performance. Therefore, the organization decides, based upon a risk assessment, which events require auditing on a continuous basis and which events require auditing in response to specific situations. The organization must also define auditable events that are adequate to support after-the-fact investigations of security incidents. [AU-2, Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 2]

Organizational records, documents, and the system configuration should be examined to ensure audit records are being generated for all defined events, audit records are generated continuously, and specific responsibilities and actions are defined for the implementation of the auditable events control. Any problems discovered during the implementation of the auditable events control should be documented and used to improve the controls.
Test the system by performing actions that the system is configured to audit to ensure an audit record is generated. Test the system to ensure access restrictions are properly configured and the system audits these actions.
Interviews should be conducted with personnel who configure the auditing parameters and events and with personnel who are involved in the auditing process. [AU-2, AU-2.2, CM-5(1), CM-5.8, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]

The organization should develop wireless security audit procedures and processes that should include the types of security events to capture and how to store the audit records. [Table 8-2 Item 17, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST Special Publication 800-97, February 2007]

US State Laws and Protectorates Guidance

The comprehensive information security program must include monitoring of the program on a regular basis to ensure its operation will prevent unauthorized use of or access to personal information. Anyone who stores, licenses, owns, or maintains personal information about a Massachusetts resident and electronically transmits or stores that information must establish and maintain a security system (which must be included in the comprehensive, written information security program) for all computers and wireless systems and must include system monitoring to detect unauthorized access or use. [§ 17.03(3)10, § 17.04(4), Massachusetts 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth of Massachusetts]

System Configuration Guidance

Logs are a valuable resource when tracking security incidents. Logging should be enabled on all systems. By default, the logs are located in /var/log. The following line should be added to the /etc/syslog.conf file: @your.log.host (your.log.host is the name of the log server) to enable the logging of events. [§ 2.11, Center for Internet Security Mac OS X Tiger Level I Security Benchmark, v1.0 May 2008]

The Server Security report and the Server Settings report should be reviewed periodically to monitor the status of the servers. [§ 3.6, Center for Internet Security Open Enterprise Server: NetWare (v1) Consensus Baseline Security Settings, v1.0 August 2006]

Other Configuration Guidance

Establish an audit log for MFD and print spoolers. Audit log to contain user, key operator and administrator codes and passwords, enabled features and services. Any deviation from the baseline should be treated as a potential security incident. Ensure operational security controls are in place to ensure servicing of devices by authorized personnel is in accordance with change and configuration protocols. [MFD06.006, Multi-Function Device (MFD)and Printer Checklist for Sharing Peripherals Across the Network Security Technical Implementation Guide, Version 1 Release 1.3]

ISO Guidance

Appropriate logging and monitoring of the network should be enabled to record all security-relevant events. The audit logs should be kept for a predetermined amount of time. The audit logs should include user IDs; date, time, and detail of the event; terminal identity or location; changes to system configuration; use of privileges; files accessed; use of system applications; network addresses visited and protocols used; and activation and deactivation of protection systems. [§ 10.6.1, § 10.10.1, § 10.10.2, ISO 17799:2005 Code of Practice for Information Security Management]

Procedures should be developed for monitoring the information systems. The monitoring results should be reviewed on a regular basis. [Annex A.10.10.2, ISO 27001:2005, Information Security Management Systems - Requirements]

Appropriate logging and monitoring of the network should be enabled to record all security-relevant events. The audit logs should be kept for a predetermined amount of time. The audit logs should include user IDs; date, time, and detail of the event; terminal identity or location; changes to system configuration; use of privileges; files accessed; use of system applications; network addresses visited and protocols used; and activation and deactivation of protection systems. [§ 10.6.1, § 10.10.1, § 10.10.2, ISO/IEC 27002-2005 Code of practice for information security management]

General Guidance

The organization should ensure that management establishes a general monitoring framework and approach that define the scope, methodology and process to be followed for monitoring IT’s contribution to the results of the enterprise’s portfolio management and program management processes and those processes that are specific to the delivery of IT capability and services. The framework should integrate with the corporate performance management system. [ME1.1, CobiT 4.1]

Documented procedures should be developed for the logging of security events for third party connections, the installation (facility), and systems. The activities of the audit team and individuals running the network should be monitored and logged. Procedures should specify the methods for monitoring key security events. [SM6.5.3(c), SM7.1.3(c), CB2.1.3(c), CB5.4.5(c), CI2.2.1, CI5.5.5(c), NW1.1.5, NW4.5.5(c), SD2.3.5(c), UE1.1.3(c), The Standard of Good Practice for Information Security]

EU Guidance

The OECD Risk Checklist calls for identification, monitoring, measuring, and control of electronic security risks. [§ I.14, OECD / World Bank Technology Risk Checklist, Version 7.3]

UK and Canadian Guidance

[¶ 27, Turnbull Guidance on Internal Control, UK FRC, October 2005]

Other European and African Guidance

The key risks and performance indicators should be monitored regularly to ensure the internal controls are effective. [¶ 3.2.4, The King Committee on Corporate Governance, Executive Summary of the King Report 2002, March 2002]

Asia and Pacific Rim Guidance

The organization should develop, implement, and maintain procedures to detect potential security incidents by implementing auditing on all systems. The auditing requirements should include a list of events to be logged; how to protect the audit log; back-up procedures; the auditing schedule; what actions to take when a violation occurs; who to report findings to; and specific responsibilities for auditing. The e-mail server should be regularly audited to detect potential threats, such as denial of service attacks and using the server as a mail relay. [§ 2.8.17, § 3.5.47, § 3.7.12, § 3.7.26, Australian Government ICT Security Manual (ACSI 33)]

Metrics

The metrics associated with this control are as follows:

    Establish and maintain an event and activity logging and monitoring metrics management program [UCF Control ID 02078]

Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.