Operationalizing key monitoring and logging concepts

Status: Live

The organization will ensure that the key concepts of auditing are employed so that all audit trails capture sufficient information in audit records to establish what events occurred, the sources of the events, and the outcomes of the events. [UCF ID 00638]

Supporting and supported controls

This control directly supports:

This control has the following supporting controls:

Authority documents complied with:

SAS 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, § 314.100; Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000, Obj 8 (Processes); FFIEC Guidance on Authentication in an Internet Banking Environment, Pg 5; FFIEC IT Examination Handbook – Audit, August 2003, Exam Tier II Obj D.1; FFIEC IT Examination Handbook – E-Banking, August 2003, Obj 5.3; FFIEC IT Examination Handbook – Information Security, Pg 47, Pg 49, Pg 87, Exam Tier II Obj G.7; FFIEC IT Examination Handbook – Management, Pg 31, Pg 32; FFIEC IT Examination Handbook – Operations, July 2004, Exam Tier I Obj 8.1; FFIEC IT Examination Handbook – Retail Payment Systems, March 2004, Pg 41, Exam Tier II Obj 8.5; FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004, Pg 31; Protection of Assets Manual, ASIS International, Pg 12-IV-21, Revised Volume 1 Pg 7-I-38 thru Revised Volume Pg 7-I-40; NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006, § 8-602.a; FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006, § 3; IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information, § 5.6.2, Exhibit 4 AU-2, Exhibit 6; Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 2, AU-3; Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, AU-3, AU-3.2; The Standard of Good Practice for Information Security, SM6.8.2(d), CB6.4.2(g), CI2.2.5, SD4.6.3(g), NW2.1.2(c); DISA Secure Remote Computing Security Technical Implementation Guide version 1.2, Version 1, Release 2, § 4.2.3, § 6.2.1; Australian Government ICT Security Manual (ACSI 33), § 3.7.13; Archer Control Table, ATCS-179, ATCS-334, ATCS-336, ATCS-379, ATCS-381, ATCS-410, ATCS-510, ATCS-669, ATCS-831; Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), NIST SP 800-122, DRAFT, § 4.3 (AU-2); Austria Data Protection Act, § 14(2)7, § 14(3); Luxembourg Data Protection Law, Art 23(g)

Sarbanes Oxley Guidance

The auditor should examine the sources of information that the organization uses for monitoring the control activities. He/she should ensure the data that is being used for monitoring is accurate, preventing the organization from reaching incorrect conclusions based on misinformation. [§ 314.100, SAS 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement]

Banking and Finance Guidance

[Obj 8 (Processes), Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000]

Audit logs should be activated and maintained to identify unauthorized activities, detect intrusions, and reconstruct events. [Pg 5, FFIEC Guidance on Authentication in an Internet Banking Environment]

[Exam Tier II Obj D.1, FFIEC IT Examination Handbook – Audit, August 2003]

[Obj 5.3, FFIEC IT Examination Handbook – E-Banking, August 2003]

The operating system security and logging capabilities should be activated. Log files should be encrypted, have adequate storage space, archived to write-only media, and configured to prevent modifications to previously written data. [Pg 47, Pg 49, Pg 87, Exam Tier II Obj G.7, FFIEC IT Examination Handbook – Information Security]

The organization should record all System and Security Administrator activity in the appropriate audit trail or log. [Pg 31, Pg 32, FFIEC IT Examination Handbook – Management]

[Exam Tier I Obj 8.1, FFIEC IT Examination Handbook – Operations, July 2004]

The organization should ensure audit trails are produced for all transactions at each network switch point. [Pg 41, Exam Tier II Obj 8.5, FFIEC IT Examination Handbook – Retail Payment Systems, March 2004]

All transactions and attempts to make a transaction should be logged. [Pg 31, FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004]

US Federal Security Guidance

The organization should ensure audit trails and transaction logs are available and enabled to store all required data. The guards should maintain a security log to record all significant events, such as when they serve as an escort and signing out keys. The guard's security log should contain the following information: a unique entry number; the date and hour of the entry; a category; an event description; and reference to other pertinent information, such as a detailed complaint form. The guard's security log may be admissible in court if it is regularly maintained as part of the guard's duties and used to record events the guard has personal knowledge of or that were reported to the guard by a person who had personal knowledge. [Pg 12-IV-21, Revised Volume 1 Pg 7-I-38 thru Revised Volume Pg 7-I-40, Protection of Assets Manual, ASIS International]

Each system must automatically create an audit trail. [§ 8-602.a, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006]

Calls for Audit and Accountability (AU): Organizations must: (i) create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity; and (ii) ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions. [§ 3, FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006]

US Internal Revenue Guidance

The system must be able to generate audit events for all security-relevant events. The system must create events for all data warehousing access attempts and must record all changes to data. [§ 5.6.2, Exhibit 4 AU-2, Exhibit 6, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information]

NIST Guidance

Audit record contents should include, for most audit records:
1) date and time of the event;
2) the component of the information system (e.g., software component, hardware component) where the event occurred;
3) type of event;
4) subject identity; and
5) the outcome (success or failure) of the event. [AU-3, Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 2]

Organizational records and documents should be examined to ensure audit records are capturing the events that have occurred, where the events occurred, and the outcomes of the events; that audit information is collected on a continuous basis in sufficient detail to support the audit requirements; and that specific responsibilities and actions are defined for the implementation of the audit records control. Any problems discovered during the implementation of the audit records control should be documented and used to improve the controls.
Test the system by generating audit records to ensure they record enough information to determine what events occurred and the sources and outcomes of the events.
Interviews should be conducted with personnel who review audit trails and with personnel who set up the auditing requirements for the system. [AU-3, AU-3.2, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]

The organization should monitor all events that could affect the confidentiality of Personally Identifiable Information (PII). [§ 4.3 (AU-2), Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), NIST SP 800-122, DRAFT]

Other Configuration Guidance

Accounting and auditing must be enabled on remote access servers and network access servers. Organizations must log user dial-in session statistics, at a minimum. Communications devices that are accessed by remote users must be able to log events, such as date, time, userID, success or failure, and MAC address. [§ 4.2.3, § 6.2.1, DISA Secure Remote Computing Security Technical Implementation Guide version 1.2, Version 1, Release 2]

General Guidance

Key events in the instant messaging application should be logged. Security-related events generated by the website should be logged. All host systems should be configured to log the appropriate event types and attributes for each event. [SM6.8.2(d), CB6.4.2(g), CI2.2.5, SD4.6.3(g), NW2.1.2(c), The Standard of Good Practice for Information Security]

Other European and African Guidance

Logs must be kept of the processing steps that were performed, especially the modifications, consultations, and transmissions, and the steps can be traced with regard to permissibility. This measure must take into account the state of the art and the costs to safeguard the data at an appropriate level with regard to the risks from the use and type of data that is being protected. Unregistered transmissions subject to an obligation to grant information must be logged so that the right of information can be granted to the subject. Logging is not required for transmissions provided for in the standard and the model ordinance. [§ 14(2)7, § 14(3), Austria Data Protection Act]

Based on the risk of a privacy breach and the state of the art and associated implementation costs, the technical and organization security measures must guarantee any person who has accessed the information system can be identified and data introduced into the system can be checked and recorded after the fact. [Art 23(g), Luxembourg Data Protection Law]

Asia and Pacific Rim Guidance

The types of events that should be recorded in a log should be based on the results of a risk analysis. [§ 3.7.13, Australian Government ICT Security Manual (ACSI 33)]

Metrics

The metrics associated with this control are as follows:

    Report on the percentage of systems for which event and activity logging has been implemented in accordance with policy [UCF Control ID 02102]

Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.