Establish and maintain standards and procedures for the frequency of monitoring audit logs.

UCF ID: 00642
Control Type: Establish/Maintain Documentation
Status: Live

Supporting and supported controls

This control directly supports:

    Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information. [UCF Control ID 00638]

There are no supporting controls.

Authority documents complied with:

The Sarbanes-Oxley Act of 2002, § 104(b); FFIEC IT Examination Handbook – Supervision of Technology Service Providers, March 2003, Pg 16, Pg 18; Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2.1, § 10.6; VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Business, Pg 54; GAO/PCIE Financial Audit Manual (FAM), § 420.03; The DIRKS Manual: A Strategic Approach to Managing Business Information, rev. July 2003, § G.4.1.5; ISO 15489-1:2001, Information and Documentation: Records management: Part 1: General, § 10; The Standard of Good Practice for Information Security, SM7.2.1, CI5.5.4(d), SD2.3.4(d); Turnbull Guidance on Internal Control, UK FRC, October 2005, ¶ 27; BIS Sound Practices for the Management and Supervision of Operational Risk, ¶ 28; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2, § 10.6; ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008, § 6.14.10, § 7.5.6, § 7.6.7

Sarbanes Oxley Guidance

Public accounting firms that provide audit reports for more than 100 issuers must be inspected annually. If the firm provides audit reports for 100 or fewer issuers, it must be inspected not less than once every 3 years. [§ 104(b), The Sarbanes-Oxley Act of 2002]

Banking and Finance Guidance

Examiners should continuously monitor the status of the service provider between examinations through offsite and/or informal reviews. At least one review should be conducted between each scheduled examination. The review should identify changes in management, new products, and mergers and acquisitions. The review should follow up on any issues or concerns identified during the examination. [Pg 16, Pg 18, FFIEC IT Examination Handbook – Supervision of Technology Service Providers, March 2003]

The frequency of the monitoring process should be commensurate with the risks and the frequency of changes to the environment. [¶ 28, BIS Sound Practices for the Management and Supervision of Operational Risk]

Payment Card Guidance

The organization must ensure all logs are reviewed on a daily basis. Logging tools may be used to meet this requirement.
Verify the security policy and procedures state the audit logs are to be reviewed on a daily basis and any exceptions are handled appropriately.
Interview security personnel to ensure they review the audit logs on a daily basis. [§ 10.6, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2.1]

The organization should monitor transactions and authorizations on a daily basis. If the organization submits the transactions in batches, it should check the transactions for completeness and accuracy before they are submitted for approval. [Pg 54, VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Business]

The organization must ensure all logs are reviewed on a daily basis. Logging tools may be used to meet this requirement. [§ 10.6, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2]

US Federal Security Guidance

[§ 420.03, GAO/PCIE Financial Audit Manual (FAM)]

Records Management Guidance

[§ G.4.1.5, The DIRKS Manual: A Strategic Approach to Managing Business Information, rev. July 2003]

[§ 10, ISO 15489-1:2001, Information and Documentation: Records management: Part 1: General]

ISO Guidance

Service providers should ensure equipment and physical facilities are continuously monitored for availability. Outsourced service providers should ensure procedures have been implemented to monitor and log all logical access to computer systems on a 24x7 basis. Outsourced service providers should ensure critical computing and related equipment are continuously monitored. [§ 6.14.10, § 7.5.6, § 7.6.7, ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008]

General Guidance

The information security status of the organization should be reviewed regularly. [SM7.2.1, CI5.5.4(d), SD2.3.4(d), The Standard of Good Practice for Information Security]

UK and Canadian Guidance

[¶ 27, Turnbull Guidance on Internal Control, UK FRC, October 2005]

Metrics

The metrics associated with this control are as follows:

    Report on the percentage of systems for which event and activity logs are monitored and reviewed in accordance with policy. [UCF Control ID 02103]

Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.