Ensure user identifications are logged.

UCF ID: 01334

Control Type: Configuration

Status: Live

Supporting and supported controls

This control directly supports:

Implement a traceability standard. [UCF Control ID 00640]

There are no supporting controls.

Authority documents complied with:

American Express Data Security Standard (DSS), § 1a; Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2.1, § 10.3.1; Army Regulation 380-19: Information Systems Security, February 27, 1998, § 2-3.a(1)(a); DISA Secure Remote Computing Security Technical Implementation Guide, Version 1, Release 2, § 6.2.1; ISO/IEC 15408-2 Common Criteria for Information Technology Security Evaluation Part 2, 2008, § 8.2, § C.3; ISO/IEC 17799 Code of Practice for Information Security Management, 2005, § 10.10.1; ISO/IEC 27002 Code of practice for information security management, 2005, § 10.10.1; Australian Government ICT Security Manual (ACSI 33), § 3.7.16; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2, § 10.3.1; Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1, § 4.1; DoD Instruction 8500.2 Information Assurance (IA) Implementation, ECAR-1; ISO/IEC 13335-4 Information technology — Guidelines for the management of IT Security — Part 4: Selection of safeguards, 2000, ¶ 8.2.1(1)

Payment Card Guidance

The organization must maintain the ability to track employee access to payment data through the use of unique IDs. [§ 1a, American Express Data Security Standard (DSS)]

The organization must ensure all system components record the user identification for each event.
For auditable events, observe the audit log to ensure it captures and records the user identification.
Interview security personnel and view their audit logs to ensure the appropriate events are logged. [§ 10.3.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2.1]

The organization must ensure all system components record the user identification for each event. [§ 10.3.1, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2]

All user access to applications should be logged, including users with administrative privileges and should be set as part of the default installation. [§ 4.1, Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1]

US Federal Security Guidance

The audit trail should identify each user and device that accesses the system. [§ 2-3.a(1)(a), Army Regulation 380-19: Information Systems Security, February 27, 1998]

Have you examined the Audit logs to ensure that they contain the user ID? [ECAR-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation]

Other Configuration Guidance

The audit log must record all user identification information. [§ 6.2.1, DISA Secure Remote Computing Security Technical Implementation Guide, Version 1, Release 2]

ISO Guidance

Each audit record should contain the user's identity. [§ 8.2, § C.3, ISO/IEC 15408-2 Common Criteria for Information Technology Security Evaluation Part 2, 2008]

The audit log should record the user ID for all events. [§ 10.10.1, ISO/IEC 17799 Code of Practice for Information Security Management, 2005]

The audit log should record the user ID for all events. [§ 10.10.1, ISO/IEC 27002 Code of practice for information security management, 2005]

Identification and Authentication (I&A). An organization should implement safeguards which assure Identification and Authentication. Identification is the means by which a user provides a claimed identity to a system. Authentication is the means of establishing the validity of this claim. The following ways are examples of how to achieve I&A safeguards (other ways of classifying I&A mechanisms are possible).
1. I&A (Identification and Authentication) Based on Something the User Knows.
Passwords are the most typical way to provide I&A based on something the user knows linked with a user identification process. The allocation of passwords and their regular change should be controlled. If users are choosing the passwords themselves, they should be aware of the common rules for password design and handling. Software can be used to support this, for example by limiting the use of common passwords or patterns and characters. If it is necessary or wanted, copies of passwords should be stored securely to allow authorized access if the user is not available or has forgotten the password. I&A based on something the user knows can also make use of cryptographic means and authentication protocols. This type of identification and authentication can also be used for remote I&A. [¶ 8.2.1(1), ISO/IEC 13335-4 Information technology — Guidelines for the management of IT Security — Part 4: Selection of safeguards, 2000]

Asia and Pacific Rim Guidance

The audit log should record the user or process for each event that is recorded. [§ 3.7.16, Australian Government ICT Security Manual (ACSI 33)]