Collection and interpretation of logs

Status: Live

The organization will develop, disseminate, and review: 1) a formal collection and interpretation of logs standard that address purpose, scope, and compliance; and 2) formal procedures to facilitate implementing the policy. [UCF ID 00643]

Supporting and supported controls

This control directly supports:

This control has the following supporting controls:

Authority documents complied with:

AICPA SAS No. 94, The Effect of Information Technology on the Auditor's Consideration of Internal Controls, § 319.54; FFIEC IT Examination Handbook – Retail Payment Systems, March 2004, Exam Tier II Obj 9.1; Health Insurance Portability and Accountability Act of 1996 (HIPAA), § 164.312(b); MasterCard Electronic Commerce Security Architecture Best Practices, April 2003, § 3-4; Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2, § 10.7; Protection of Assets Manual, ASIS International, Pg 11-V-6, Pg 12-IV-22, Revised Volume 1 Pg 7-I-41; Clinger-Cohen Act (Information Technology Management Reform Act), § 5122(b)(6), § 5123(4); NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006, § 8-602.c; FIPS 191, Guideline for the Analysis of Local Area Network (LAN) Security, § 2.2.6; Federal Information System Controls Audit Manual (FISCAM), February 2009, AC-4.1, AC-4.2; The DIRKS Manual: A Strategic Approach to Managing Business Information, rev. July 2003, § G.4.1.5; Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996, § 3.13; Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, AU-6(1), AU-6.7; CobiT 4.1, DS13.1, ME1.2; The Standard of Good Practice for Information Security, CI1.4.1(d), NW3.1.1(d); ISO/IEC 15408-2:2008 Common Criteria for Information Technology Security Evaluation Part 2, 2008, § 8.3, § C.4; OGC ITIL: Security Management, § 4.2.4.2; IT Service Management Standard - Code of Practice, BS ISO/IEC 20000-2:2005, § 4.3.1; Australian Government ICT Security Manual (ACSI 33), § 3.7.25; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2, § 10.7; Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST Special Publication 800-97, February 2007, Table 8-3 Item 35; Austria Data Protection Act, § 14(2)7, § 14(3); Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1, § 4.2

Sarbanes Oxley Guidance

[§ 319.54, AICPA SAS No. 94, The Effect of Information Technology on the Auditor's Consideration of Internal Controls]

Banking and Finance Guidance

[Exam Tier II Obj 9.1, FFIEC IT Examination Handbook – Retail Payment Systems, March 2004]

Healthcare and Life Science Guidance

[§ 164.312(b), Health Insurance Portability and Accountability Act of 1996 (HIPAA)]

Payment Card Guidance

Log any attempts to violate the firewall rules. [§ 3-4, MasterCard Electronic Commerce Security Architecture Best Practices, April 2003]

The organization must ensure audit trails are retained for at least 1 year and must have the last 3 months available for immediate analysis.
Verify the security policy and procedures include requirements for retaining the audit logs for at least 1 year and verify procedures are in place to allow the last 3 months of audit trails to be restored for immediate analysis. [§ 10.7, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2]

The organization must ensure audit trails are retained for at least 1 year and must have the last 3 months available for immediate analysis. [§ 10.7, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2]

An automated audit trail should be implemented to track and monitor access to the application. Disabling the logs should not be done and could result in noncompliance with PCI DSS. [§ 4.2, Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1]

US Federal Security Guidance

The organization should have a plan outlining when audit trails should be reviewed, who should review them, what the reviewers should be looking for, and how the reviewers should report any anomalies. Station message detail recording (SMDR) is a PBX feature that logs inbound, outbound, and internal traffic. It should be reviewed for any unusual traffic patterns by an assigned employee on a daily basis. Security managers should review guard logs on a regular basis and arrange for any identified problems noted in the log be corrected. [Pg 11-V-6, Pg 12-IV-22, Revised Volume 1 Pg 7-I-41, Protection of Assets Manual, ASIS International]

Requires the means to be provided to senior management to obtain timely information, including a system of milestones for measuring progress, on an independently verifiable basis, in terms of cost, capability of the system to meet specified requirements, timeliness, and quality. [§ 5122(b)(6), § 5123(4), Clinger-Cohen Act (Information Technology Management Reform Act)]

The audit trail must be scheduled, on a regular basis, to be analyzed using automated tools. [§ 8-602.c, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006]

[§ 2.2.6, FIPS 191, Guideline for the Analysis of Local Area Network (LAN) Security]

Calls for access to audit trails and the logging of invalid access attempts. [AC-4.1, AC-4.2, Federal Information System Controls Audit Manual (FISCAM), February 2009]

Records Management Guidance

The specification of objective, verifiable and quantifiable performance indicators used to analyze efficiency and effectiveness is called for. [§ G.4.1.5, The DIRKS Manual: A Strategic Approach to Managing Business Information, rev. July 2003]

NIST Guidance

Access to all audit trails must be made available. [§ 3.13, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996]

Organizational records, documents, and the system configuration should be examined to ensure automated mechanisms are implemented to integrate the monitoring, analysis, and reporting of audit records into a process for investigating and responding to suspicious activities.
Test the system by generating auditable events to ensure the organization uses automated mechanisms to aid in monitoring, analyzing, and reporting suspicious activities. [AU-6(1), AU-6.7, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]

The organization should use an automated auditing tool to help in reviewing access point and authentication server audit data. [Table 8-3 Item 35, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST Special Publication 800-97, February 2007]

ISO Guidance

The audit log should have the ability to use a set of rules to determine if a potential violation has occurred. This set of rules should identify events whose occurrence or accumulated occurrence could indicate a potential violation. The audit system should be able to maintain system usage profiles and suspicion ratings for individuals. When a user's suspicion rating exceeds its threshold, the audit system should be able to flag an imminent violation. The audit system should be able to compare signature events and known intrusion scenarios against system activity to determine the probability of violation. [§ 8.3, § C.4, ISO/IEC 15408-2:2008 Common Criteria for Information Technology Security Evaluation Part 2, 2008]

ITIL Guidance

[§ 4.2.4.2, OGC ITIL: Security Management]

General Guidance

The organization should define, implement and maintain standard procedures for IT operations and ensure the operations staff is familiar with all operations tasks relevant to them. Operational procedures should cover shift hand over (formal hand over of activity, status updates, operational problems, escalation procedures and reports on current responsibilities) to ensure continuous operations.
The organization should ensure that IT management, working with the business, defines a balanced set of performance objectives, measures, targets and benchmarks, and has them signed off on by the business and other relevant stakeholders. Performance indicators should include:
• Business contribution including, but not limited to financials
• Performance against the strategic business and IT plan
• Risk and compliance with regulations • Internal and external user satisfaction
• Key IT processes including development and service delivery
• Future-oriented activities, for example, emerging technology, reusable infrastructure, business and IT personnel skill sets
Processes should be established to collect timely and accurate data to report on progress against targets. [DS13.1, ME1.2, CobiT 4.1]

Event logs should be reviewed regularly to help identify suspicious or unauthorized activity. [CI1.4.1(d), NW3.1.1(d), The Standard of Good Practice for Information Security]

UK and Canadian Guidance

[§ 4.3.1, IT Service Management Standard - Code of Practice, BS ISO/IEC 20000-2:2005]

Other European and African Guidance

Logs must be kept of the processing steps that were performed, especially the modifications, consultations, and transmissions, and the steps can be traced with regard to permissibility. This measure must take into account the state of the art and the costs to safeguard the data at an appropriate level with regard to the risks from the use and type of data that is being protected. Unregistered transmissions subject to an obligation to grant information must be logged so that the right of information can be granted to the subject. Logging is not required for transmissions provided for in the standard and the model ordinance. [§ 14(2)7, § 14(3), Austria Data Protection Act]

Asia and Pacific Rim Guidance

The Security Officer should manage and audit all event logs. The system manager or information owner should determine the audit requirements based on the security policy requirements. Personnel with system administrator privileges should not have system audit responsibilities. [§ 3.7.25, Australian Government ICT Security Manual (ACSI 33)]

Metrics

The metrics associated with this control are as follows:

    Report on the percentage of systems for which event and activity logging has been implemented in accordance with policy [UCF Control ID 02102]

Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.