Report on the percentage of systems for which event and activity logs are monitored and reviewed in accordance with policy

Status: Live

The organization will report on the percentage of systems for which event and activity logs are monitored and reviewed in accordance with policy. [UCF ID 02103]

Metric guidance

Calculation: The calculation for this metric is # of systems for which event and activity logs are monitored and reviewed in accordance with policy / # of IT systems.

Calculation source: No authority document source of information exists. The following formula was used: the number of systems whose security administrators monitor and review event and activity logs in accordance with policies, standards, and procedures divided by the number of systems listed in the CMDB for each business unit (or the organization as a whole) .

The Common Control IDs associated with this metric are as follows:

Monitoring frequency [UCF Control ID 00642]

Review audit logs and IDS reports regularly [UCF Control ID 00596]

Management reporting and logging [UCF Control ID 00653]

Measurement [UCF Control ID 00639]

The organizational security framework will contain procedures for continuous monitoring and control for all access to data [UCF Control ID 01361]

Supporting and supported controls

This control directly supports:

Establish and maintain an event and activity logging and monitoring metrics management program [UCF Control ID 02078]

There are no supporting controls.

Authority documents complied with:

CISWG Information Security Program Elements, January 10,2005, ISPE22.2; Performance Measurement Guide for Information Security, NIST 800-55 Rev. 1, Revision 1, App A Measure 5; Guide for Developing Performance Metrics for Information Security, NIST SP 800-80, Table 7

US Federal Security Guidance

The organization must measure and report on the percentage of systems for which event and activity logs are monitored and reviewed in accordance with policy. [ISPE22.2, CISWG Information Security Program Elements, January 10,2005]

NIST Guidance

The calculation for this metric should be stated as the # of times logs are reviewed for inappropriate activity during the reporting period / # of days in the reporting period. Use the number of days in the reporting period as the base number divided by the number of times that the activity and event logs are reviewed for inappropriate activity. [App A Measure 5, Performance Measurement Guide for Information Security, NIST 800-55 Rev. 1, Revision 1]

This metric must be calculated using # of systems for which event and activity logs are monitored and reviewed in accordance with policy / # of IT systems [Table 7, Guide for Developing Performance Metrics for Information Security, NIST SP 800-80]