Report on the percentage of systems for which event and activity logs are monitored and reviewed in accordance with policy.

UCF ID: 02103
Control Type: Actionable Reports or measurements
Status: Live
Metric guidance

Calculation: The calculation for this metric is # of systems for which event and activity logs are monitored and reviewed in accordance with policy / # of IT systems.

Calculation source: No authority document source of information exists. The following formula was used: the number of systems whose security administrators monitor and review event and activity logs in accordance with policies, standards, and procedures divided by the number of systems listed in the CMDB for each business unit (or the organization as a whole) .

The Common Control IDs associated with this metric are as follows:

    Establish and maintain standards and procedures for the frequency of monitoring audit logs. [UCF Control ID 00642]
    Review audit logs, intrusion detection system (IDS) reports, security incident tracking reports, and other security logs on a regular basis. [UCF Control ID 00596]
    Log and report to management the periodic reviews of compliance checklists, audit reports, sign-off sheets, and others. [UCF Control ID 00653]
    Record detailed information in the audit trails for events that can be identified by type, location, or subject. [UCF Control ID 00639]
    Ensure procedures for continuous monitoring and control of all access to data are included in the security policy. [UCF Control ID 01361]

Supporting and supported controls

This control directly supports:

    Establish and maintain an event and activity logging and monitoring management metrics program. [UCF Control ID 02078]

There are no supporting controls.

Authority documents complied with:

CISWG Information Security Program Elements, January 10,2005, ISPE22.2; Performance Measurement Guide for Information Security, NIST 800-55, Revision 1, App A Measure 5; Guide for Developing Performance Metrics for Information Security, NIST SP 800-80, Table 7

US Federal Security Guidance

The organization must measure and report on the percentage of systems for which event and activity logs are monitored and reviewed in accordance with policy. [ISPE22.2, CISWG Information Security Program Elements, January 10,2005]

NIST Guidance

The calculation for this metric should be stated as the # of times logs are reviewed for inappropriate activity during the reporting period / # of days in the reporting period. Use the number of days in the reporting period as the base number divided by the number of times that the activity and event logs are reviewed for inappropriate activity. [App A Measure 5, Performance Measurement Guide for Information Security, NIST 800-55, Revision 1]

This metric must be calculated using # of systems for which event and activity logs are monitored and reviewed in accordance with policy / # of IT systems [Table 7, Guide for Developing Performance Metrics for Information Security, NIST SP 800-80]


Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.