Monitoring frequency

Status: Live

The organization will develop, disseminate, and review: 1) a formal monitoring frequency standard that address purpose, scope, and compliance; and 2) formal procedures to facilitate implementing the policy. [UCF ID 00642]

Supporting and supported controls

This control directly supports:

Operationalizing key monitoring and logging concepts [UCF Control ID 00638]

There are no supporting controls.

Authority documents complied with:

The Sarbanes-Oxley Act of 2002, § 104(b); FFIEC IT Examination Handbook – Supervision of Technology Service Providers, March 2003, Pg 16, Pg 18; Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2, § 10.6; VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Business, Pg 54; GAO/PCIE Financial Audit Manual (FAM), § 420.03; The DIRKS Manual: A Strategic Approach to Managing Business Information, rev. July 2003, § G.4.1.5; ISO 15489-1:2001, Information and Documentation: Records management: Part 1: General, § 10; The Standard of Good Practice for Information Security, SM7.2.1, CI5.5.4(d), SD2.3.4(d); Turnbull Guidance on Internal Control, UK FRC, October 2005, ¶ 27; BIS Sound Practices for the Management and Supervision of Operational Risk, ¶ 28; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2, § 10.6; Archer Control Table, ATCS-669

Sarbanes Oxley Guidance

Public accounting firms that provide audit reports for more than 100 issuers must be inspected annually. If the firm provides audit reports for 100 or fewer issuers, it must be inspected not less than once every 3 years. [§ 104(b), The Sarbanes-Oxley Act of 2002]

Banking and Finance Guidance

Examiners should continuously monitor the status of the service provider between examinations through offsite and/or informal reviews. At least one review should be conducted between each scheduled examination. The review should identify changes in management, new products, and mergers and acquisitions. The review should follow up on any issues or concerns identified during the examination. [Pg 16, Pg 18, FFIEC IT Examination Handbook – Supervision of Technology Service Providers, March 2003]

The frequency of the monitoring process should be commensurate with the risks and the frequency of changes to the environment. [¶ 28, BIS Sound Practices for the Management and Supervision of Operational Risk]

Payment Card Guidance

The organization must ensure all logs are reviewed on a daily basis. Logging tools may be used to meet this requirement.
Verify the security policy and procedures state the audit logs are to be reviewed on a daily basis and any exceptions are handled appropriately.
Interview security personnel to ensure they review the audit logs on a daily basis. [§ 10.6, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2]

The organization should monitor transactions and authorizations on a daily basis. If the organization submits the transactions in batches, it should check the transactions for completeness and accuracy before they are submitted for approval. [Pg 54, VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Business]

The organization must ensure all logs are reviewed on a daily basis. Logging tools may be used to meet this requirement. [§ 10.6, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2]

US Federal Security Guidance

[§ 420.03, GAO/PCIE Financial Audit Manual (FAM)]

Records Management Guidance

[§ G.4.1.5, The DIRKS Manual: A Strategic Approach to Managing Business Information, rev. July 2003]

[§ 10, ISO 15489-1:2001, Information and Documentation: Records management: Part 1: General]

General Guidance

The information security status of the organization should be reviewed regularly. [SM7.2.1, CI5.5.4(d), SD2.3.4(d), The Standard of Good Practice for Information Security]

UK and Canadian Guidance

[¶ 27, Turnbull Guidance on Internal Control, UK FRC, October 2005]

Metrics

The metrics associated with this control are as follows:

Report on the percentage of systems for which event and activity logs are monitored and reviewed in accordance with policy [UCF Control ID 02103]