Back

Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information.


CONTROL ID
00638
CONTROL TYPE
Log Management
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain logging and monitoring operations., CC ID: 00637

This Control has the following implementation support Control(s):
  • Establish, implement, and maintain an event logging policy., CC ID: 15217
  • Establish, implement, and maintain event logging procedures., CC ID: 01335
  • Document the event information to be logged in the event information log specification., CC ID: 00639
  • Enable logging for all systems that meet a traceability criteria., CC ID: 00640
  • Define the frequency to capture and log events., CC ID: 06313
  • Include logging frequencies in the event logging procedures., CC ID: 00642
  • Review and update the list of auditable events in the event logging procedures., CC ID: 10097


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • All application systems need to have audit trails along with policy/procedure of log monitoring for such systems including the clear allocation of responsibility in this regard. Every application affecting critical/sensitive information, for example, impacting financial, customer, control, regulator… (Critical components of information security 11) c.5., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Highly sensitive and/or critical IT assets would need to have logging enabled to record events and monitored at a level proportional to the level of risk. (Critical components of information security 17) v., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Banks needs to ensure that audit trails exist for IT assets satisfying the banks business requirements including regulatory and legal requirements, facilitating audit, serving as forensic evidence when required and assisting in dispute resolution. This could include, as applicable, various areas lik… (Critical components of information security 21) i., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • An event log auditing process, and supporting event log auditing procedures, is developed and implemented covering the scope and schedule of audits, what constitutes a violation of security policy, and actions to be taken when violations are detected, including reporting requirements. (Security Control: 0109; Revision: 6, Australian Government Information Security Manual, March 2021)
  • amount of data uploaded and downloaded (Security Control: 0261; Revision: 4; Bullet 4, Australian Government Information Security Manual, March 2021)
  • The organization must log all Cross Domain Solution events, when exporting data from a security domain. (Control: 0670, Australian Government Information Security Manual: Controls)
  • The organization should verify that the actions of all users and Information Technology assets are auditable. (¶ 45, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • The organization should log activities, including exceptions to approved activities. (¶ 66(a), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • The organization should subject users with elevated access privileges, e.g., System Administrators, to a higher level of monitoring. (¶ 69, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • The organization should verify that audit trails exist for all Information Technology assets and they meet the business requirements, regulatory requirements, and legal requirements; aid in dispute resolution; assist in providing forensic evidence; and is independent. (¶ 74, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • Detection mechanisms typically include scanning, sensing and logging mechanisms which can be used to identify potential information security incidents. Monitoring processes could include the identification of unusual patterns of behaviour and logging that facilitates investigation and preserves fore… (67., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • For accountability purposes, a regulated institution would normally ensure that users and IT assets are uniquely identified and their actions are auditable. (¶ 45, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • APRA envisages that a regulated institution would ensure audit trails exist for IT assets that: satisfy the institution's business requirements (including regulatory and legal); facilitate independent audit; assist in dispute resolution (including non-repudiation); and assist in the provision of for… (¶ 74, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • The types of events that should be recorded in a log should be based on the results of a risk analysis. (§ 3.7.13, Australian Government ICT Security Manual (ACSI 33))
  • At least once a month, the activations of the emergency users and the corresponding approvals are compared manually. Irregularities are examined in order to determine any misuse of these users and to avoid this in the future. The activities of the emergency users are logged in an audit-proof manner.… (Section 5.7 IDM-09 Description of additional requirements (confidentiality) ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Security-relevant requirements regarding the logging of activities of system administrators and users are determined and fulfilled. (5.2.4 Requirements (must) Bullet 2, Information Security Assessment, Version 5.1)
  • Based on the risk of a privacy breach and the state of the art and associated implementation costs, the technical and organization security measures must guarantee any person who has accessed the information system can be identified and data introduced into the system can be checked and recorded aft… (Art 23(g), Law of 2 August 2002 on the Protection of Persons with Regard to the Processing of Personal Data)
  • Logs must be kept of the processing steps that were performed, especially the modifications, consultations, and transmissions, and the steps can be traced with regard to permissibility. This measure must take into account the state of the art and the costs to safeguard the data at an appropriate lev… (§ 14(2)7, § 14(3), Austria Data Protection Act)
  • Pursuant to federal statutory authority, including the Federal Information Security Modernisation Act of 2014, the OMB and the National Institute of Standards and Technology (NIST) have developed standards which are binding on federal agencies (including criminal law enforcement authorities) and tha… (3.1.1.2 (104), COMMISSION IMPLEMENTING DECISION of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework)
  • All original data records, the master records, and additions, deletions, or modifications to the data must be accurately and comprehensively kept in the audit trail. (¶ 20.1, Good Practices For Computerized systems In Regulated GXP Environments)
  • The control system shall provide the capability to centrally manage audit events and to compile audit records from multiple components throughout the control system into a system- wide (logical or physical), time-correlated audit trail. The control system shall provide the capability to export these… (6.10.3.1 ¶ 1, IEC 62443-3-3: Industrial communication networks – Network and system security – Part 3-3: System security requirements and security levels, Edition 1)
  • Audit trails must be implemented to link all system component access to each individual user. (PCI DSS Requirements § 10.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Implement automated audit trails for all system components to reconstruct the following events: (10.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Implement automated audit trails for all system components to reconstruct the following events: (10.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Are automated audit trails implemented for all system components to reconstruct the following events: (10.2, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Are automated audit trails implemented for all system components to reconstruct the following events: (10.2, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Through interviews of responsible personnel, observation of audit logs, and examination of audit log settings, perform the following: (10.2, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Are audit trails enabled and active for system components? (PCI DSS Question 10.1(a), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Are audit trails enabled and active for system components? (PCI DSS Question 10.1(a), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • The solution provider should ensure that logging capabilities exist with sufficient granularity to support detection of abnormal activities. (¶ 6.5.1, PCI Mobile Payment Acceptance Security Guidelines for Merchants as End-Users, Version 1.1)
  • There should be a focus on logical access controls over critical operating systems, applications, and databases, such as tracking the creation of user accounts and access authorizations for user accounts using audit trails. (§ 5.2 (Logical Access), IIA Global Technology Audit Guide (GTAG) 7: Information Technology Outsourcing)
  • By logging user identities, access rights, and the functions they perform, the organization can check if user identities and their access rights comply with the approved access rights for specific user identities; user identities and their access rights are misaligned with the access rights necessar… (§ 3.6.2, IIA Global Technology Audit Guide (GTAG) 9: Identity and Access Management)
  • The organization should ensure audit trails and transaction logs are available and enabled to store all required data. The guards should maintain a security log to record all significant events, such as when they serve as an escort and signing out keys. The guard's security log should contain the fo… (Pg 12-IV-21, Revised Volume 1 Pg 7-I-38 thru Revised Volume Pg 7-I-40, Protection of Assets Manual, ASIS International)
  • The security of instant messaging applications should be improved by logging important events (e.g., to maintain records for regulatory purposes). (CF.15.02.03d, The Standard of Good Practice for Information Security)
  • Business applications and technical infrastructure systems should be configured to generate appropriate event types (e.g., system crashes, object deletion, and failed logon attempts). (CF.10.04.05b, The Standard of Good Practice for Information Security)
  • External access should be provided using a dedicated Remote Access Server, which logs all connections and sessions, including details of call start / stop time, call duration, and user tracking. (CF.09.03.07c, The Standard of Good Practice for Information Security)
  • The security of instant messaging applications should be improved by logging important events (e.g., to maintain records for regulatory purposes). (CF.15.02.03d, The Standard of Good Practice for Information Security, 2013)
  • Business applications and technical infrastructure systems should be configured to generate appropriate event types (e.g., system crashes, object deletion, and failed logon attempts). (CF.10.04.05b, The Standard of Good Practice for Information Security, 2013)
  • External access should be provided using a dedicated Remote Access Server, which logs all connections and sessions, including details of call start / stop time, call duration, and user tracking. (CF.09.03.07c, The Standard of Good Practice for Information Security, 2013)
  • Ensure sufficient auditing and logging are turned on prior to any incident occurring. (Action 1.8.5, SANS Computer Security Incident Handling, Version 2.3.1)
  • Validate audit log settings for each hardware device and the software installed on it, ensuring that logs include a date, timestamp, source addresses, destination addresses, and various other useful elements of each packet and/or transaction. Systems should record logs in a standardized format such … (Control 6.2, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • The monitoring system on a Demilitarized Zone network should be configured to record packet header information, preferably the full packet header and the traffic payloads that are passing through and destined for the network border. (Critical Control 13.2, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The organization should implement detailed audit logging for nonpublic data access and special authentication for sensitive data. (Critical Control 15.3, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • Generate audit records containing relevant security information. (LOG-08, Cloud Controls Matrix, v4.0)
  • Log and monitor key lifecycle management events to enable auditing and reporting on usage of cryptographic keys. (LOG-11, Cloud Controls Matrix, v4.0)
  • Establish and maintain a monitoring and internal reporting capability over the operations of cryptographic, encryption and key management policies, processes, procedures, and controls. (LOG-10, Cloud Controls Matrix, v4.0)
  • Audit Trails. It is important to ensure the effectiveness of network security through detection, investigation and reporting of security incidents. Sufficient audit trail information of error conditions and valid events should be recorded to enable thorough review for suspected, and of actual, incid… (¶ 13.4, ISO 13335-5 Information technology - Guidelines for the management of IT Security - Part 5: Management guidance on network security, 2001)
  • Verify all use of the records is recorded to an appropriate level of detail, in order to effectively manage the use of records. (§ 4.3.8 ¶ 2(f), ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • define and implement the operational controls (see 5.6) necessary for audit programme monitoring; (§ 5.5.1 ¶ 2(i), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • The audit programme should also consider that processes and controls should have been in operation for some time to enable evaluation of suitable evidence. (§ 9.2 Guidance ¶ 4, ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • Coordinates the security audit function with other organizational entities requiring auditrelated information to enhance mutual support and to help guide the selection of auditable events; (AU-2b., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Coordinates the security audit function with other organizational entities requiring auditrelated information to enhance mutual support and to help guide the selection of auditable events; (AU-2b., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Coordinates the security audit function with other organizational entities requiring auditrelated information to enhance mutual support and to help guide the selection of auditable events; (AU-2b., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Coordinates the security audit function with other organizational entities requiring auditrelated information to enhance mutual support and to help guide the selection of auditable events; (AU-2b., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The auditor should examine the sources of information that the organization uses for monitoring the control activities. He/she should ensure the data that is being used for monitoring is accurate, preventing the organization from reaching incorrect conclusions based on misinformation. (§ 314.100, SAS No. 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement)
  • Include audit trails within the Information Security Program designed to detect and respond to Cybersecurity Events and designed to reconstruct material financial transactions sufficient to support normal operations and obligations of the Licensee; (Section 4.D ¶ 1(2)(i), Insurance Data Security Model Law, NAIC MDL-668, Q4 2017)
  • On windows systems that transmit scoped data, is there sufficient information in the logs to evaluate incidents? (§ G.17.5, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On windows systems that process scoped data, is there sufficient information in the logs to evaluate incidents? (§ G.17.5, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On windows systems that store scoped data, is there sufficient information in the logs to evaluate incidents? (§ G.17.5, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On as400 systems that transmit scoped data, is there sufficient information in the logs to evaluate incidents? (§ G.19.6, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On as400 systems that process scoped data, is there sufficient information in the logs to evaluate incidents? (§ G.19.6, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On as400 systems that store scoped data, is there sufficient information in the logs to evaluate incidents? (§ G.19.6, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On open vms (vax or alpha) systems that transmit scoped data, is sufficient information to investigate incidents logged? (§ G.20.3, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On open vms (vax or alpha) systems that process scoped data, is sufficient information to investigate incidents logged? (§ G.20.3, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On open vms (vax or alpha) systems that store scoped data, is sufficient information to investigate incidents logged? (§ G.20.3, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Is network traffic logged to support forensics? (§ G.11.5, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • For cloud computing services that use a hypervisor to transmit, process, or store scoped data, is sufficient information stored in the logs to evaluate incidents? (§ V.1.72.6, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • For cloud computing services that use a hypervisor to transmit, process, or store scoped data, is the migration of virtual machines logged, including source and target systems, time, and user? (§ V.1.72.32, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Table F-1: For Windows 2000 Server, the organization must configure the system to appropriately audit user rights assignments. Table F-2: For Windows 2003 Server, the organization must configure the system to appropriately audit user rights assignments. Table F-3: For Windows 2000 Professional, the … (Table F-1, Table F-2, Table F-3, Table F-5, CMS Business Partners Systems Security Manual, Rev. 10)
  • CSR 2.1.1: The organization must use automated audit controls to conduct user account activity audits. The organization must enable and verify the auditing of administrator activities. CSR 2.1.3: The organization must enable the proper logging of user account and administrator activities, security p… (CSR 2.1.1, CSR 2.1.3, CSR 3.2.3, CSR 3.4.1, CSR 4.2.2, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Examine the teller and cash entry systems to determine if they capture all the transactions and they are comprehensive. (Obj 8 (Processes), Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000)
  • the value of audit trails in computerized record systems; and (§ 1173(d)(1)(A)(iv), Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, 104th Congress)
  • Accounting and auditing must be enabled on remote access servers and network access servers. Organizations must log user dial-in session statistics, at a minimum. Communications devices that are accessed by remote users must be able to log events, such as date, time, userID, success or failure, and … (§ 4.2.3, § 6.2.1, DISA Secure Remote Computing Security Technical Implementation Guide, Version 1 Release 2)
  • Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. (AU.2.042, Cybersecurity Maturity Model Certification, Version 1.0, Level 2)
  • Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. (AU.2.042, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
  • Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. (AU.2.042, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. (AU.2.042, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. (AU.L2-3.3.1 System Auditing, Cybersecurity Maturity Model Certification, Version 2.0, Level 2)
  • The Records Management Application shall capture and link an audit history of each record, consisting of the replaced metadata value and the person who entered the information. (§ C4.1.16, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
  • Each system must automatically create an audit trail. (§ 8-602.a, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
  • The Information System shall generate audit records for defined events. (§ 5.4.1 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The Information System shall produce audit records that contain enough information to establish what events occurred, the outcomes of the events, and the sources of the events, at the application and Operating System level. (§ 5.4.1 ¶ 2, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The agency's information system shall produce, at the application and/or operating system level, audit records containing sufficient information to establish what events occurred, the sources of the events, and the outcomes of the events. The agency shall periodically review and update the list of a… (§ 5.4.1 ¶ 2, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • The agency's information system shall produce, at the application and/or operating system level, audit records containing sufficient information to establish what events occurred, the sources of the events, and the outcomes of the events. The agency shall periodically review and update the list of a… (§ 5.4.1 ¶ 2, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Audit logs should be activated and maintained to identify unauthorized activities, detect intrusions, and reconstruct events. (Pg 5, FFIEC Guidance on Authentication in an Internet Banking Environment)
  • Review information systems reports for management, and determine whether they provide the information necessary to help manage the institution effectively. Determine the following: (App A Objective 3:6, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Determine whether the institution has a well-defined role for the implementation and use of information systems reporting and that it produces accurate and useful reports. Determine the effectiveness of the reports used by senior management or relevant management committees to supervise and monitor … (App A Objective 3:5, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • The process and results are effective. (App A Objective 3:6 b., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Determine whether audit procedures for information security adequately consider the risks in information security and e-banking. Evaluate whether ▪ A written and adequate data security policy is in effect covering all major operating systems, databases, and applications; ▪ Existing controls comp… (Exam Tier II Obj D.1, FFIEC IT Examination Handbook - Audit, August 2003)
  • (Obj 5.3, FFIEC IT Examination Handbook - E-Banking, August 2003)
  • The organization should record all System and Security Administrator activity in the appropriate audit trail or log. (Pg 31, Pg 32, FFIEC IT Examination Handbook - Management)
  • Assess whether controls exist to address telecommunication operations risk, including: ▪ Alignment of telecommunication architecture and process with the strategic plan; ▪ Monitoring of telecommunications operations such as downtime, throughput, usage, and capacity utilization; and ▪ Assurance… (Exam Tier I Obj 8.1, FFIEC IT Examination Handbook - Operations, July 2004)
  • Describe how the financial institution monitors items that originated in foreign countries (i.e., foreign locations owned or controlled by customers of the financial institution or items received and processed by correspondent banks). (App A Tier 2 Objectives and Procedures N.14 Bullet 3, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • The organization should ensure audit trails are produced for all transactions at each network switch point. (Pg 41, Exam Tier II Obj 8.5, FFIEC IT Examination Handbook - Retail Payment Systems, March 2004)
  • All transactions and attempts to make a transaction should be logged. (Pg 31, FFIEC IT Examination Handbook - Wholesale Payment Systems, July 2004)
  • Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events; (AU-2b. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events; (AU-2b. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events; (AU-2b. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; (AU-2b., FedRAMP Security Controls High Baseline, Version 5)
  • Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; (AU-2b., FedRAMP Security Controls Low Baseline, Version 5)
  • Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; (AU-2b., FedRAMP Security Controls Moderate Baseline, Version 5)
  • The system must be able to generate audit events for all security-relevant events. The system must create events for all data warehousing access attempts and must record all changes to data. (§ 5.6.2, Exhibit 4 AU-2, Exhibit 6, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Does the Credit Union use auditing features to help in detecting fraud, compromised passwords, money laundering, or other unauthorized activities? (IT - Authentication Q 35, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Are the appropriate system auditing and logging functions enabled to capture audit trails that are related to network components? (IT - Security Program Q 26, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Does the server software have logging ability, and, if so, is it enabled? (IT - Servers Q 14, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Has the Credit Union enabled the logging feature on the Access Point? (IT - WLANS Q 21, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • § 4.1.8 Bullet 1: Determine the types of monitoring necessary to derive an exception report. § 4.14.3 Bullet 3: Ensure that the necessary data is available in the system logs to support audit and other related business functions. § 4.15.4 Bullet 1: Determine which types of audit monitoring proced… (§ 4.1.8 Bullet 1, § 4.14.3 Bullet 3, § 4.15.4 Bullet 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
  • Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; (AU-2b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; (AU-2b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; (AU-2b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; (AU-2b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; (AU-2b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Develop, integrate, and use session auditing activities in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. (AU-14b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; (AU-2b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; (AU-2b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; (AU-2b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Develop, integrate, and use session auditing activities in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. (AU-14b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; (AU-2b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Develop, integrate, and use session auditing activities in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. (AU-14b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Calls for Audit and Accountability (AU): Organizations must: (i) create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity; and (ii) ensure… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • The organization shall ensure that all actions that are taken to approve or deny personal identity verification (PIV) card requests are audited and the audit trail can support system management and forensic capabilities. A critical control component for the chain of trust for PIV management and issu… (App A.2.3, FIPS Pub 201-1, Personal Identity Verification (PIV) of Federal Employees and Contractors, Change Notice 1)
  • Organizational records and documents should be examined to ensure audit records are capturing the events that have occurred, where the events occurred, and the outcomes of the events; that audit information is collected on a continuous basis in sufficient detail to support the audit requirements; an… (AU-3, AU-3.2, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • Organizations should develop policies that clearly define mandatory requirements and suggested recommendations for which events each component must or should log. (§ 4.2 Bullet 1, Guide to Computer Security Log Management, NIST SP 800-92)
  • Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events; (AU-2b. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events; (AU-2b. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events; (AU-2b. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Implement data mining and data warehousing applications. (T0459, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Develop and implement data mining and data warehousing programs. (T0460, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • The smart grid Information System should provide for automatically processing audit records based on selectable event criteria. (SG.AU-7 Additional Considerations A1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • Create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity. (3.3.1, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171)
  • Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. (3.3.1, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 1)
  • Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. (3.3.1, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 2)
  • Implement data mining and data warehousing applications. (T0459, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events. (AU-2b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events. (AU-2b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events. (AU-2b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events. (AU-2b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Coordinates the security audit function with other organizational entities requiring auditrelated information to enhance mutual support and to help guide the selection of auditable events; (AU-2b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Coordinates the security audit function with other organizational entities requiring auditrelated information to enhance mutual support and to help guide the selection of auditable events; (AU-2b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Coordinates the security audit function with other organizational entities requiring auditrelated information to enhance mutual support and to help guide the selection of auditable events; (AU-2b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Coordinates the security audit function with other organizational entities requiring auditrelated information to enhance mutual support and to help guide the selection of auditable events; (AU-2b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; (AU-2b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Provide and implement the capability for auditing the parameters of user query events for data sets containing personally identifiable information. (AU-12(4) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Provide and implement the capability for authorized users to remotely view and hear content related to an established user session in real time. (AU-14(3) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Develop, integrate, and use session auditing activities in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. (AU-14b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; (AU-2b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Provide and implement the capability for auditing the parameters of user query events for data sets containing personally identifiable information. (AU-12(4) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Provide and implement the capability for authorized users to remotely view and hear content related to an established user session in real time. (AU-14(3) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Develop, integrate, and use session auditing activities in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. (AU-14b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events; (AU-2b., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Include audit trails within the information security program designed to detect and respond to cybersecurity events and designed to reconstruct material financial transactions sufficient to support normal operations and obligations of the licensee. (Section 27-62-4(d)(2) i., Code of Alabama, Title 27, Chapter 62, Sections 1-11, Insurance Data Security Law)
  • Inclusion of audit trails within the information security program that are designed to detect and respond to cybersecurity events, and designed to reconstruct material financial transactions sufficient to support the normal operations and obligations of the licensee; (Part VI(c)(4)(B)(ix), Connecticut General Statutes, Title 38a, Chapter 697, Part VI, Section 38a-38, Insurance Data Security Law)
  • Include audit controls within the information security program designed to do both of the following: (§ 8604.(d)(2) i., Delaware Code, Title 18, Chapter 86, Sections 8601-8611, Insurance Data Security Act)
  • Include audit trails within the information security program designed to detect and respond to cybersecurity events and reconstruct material financial transactions sufficient to support normal operations and obligations of the licensee; (§431:3B-203(2)(I), Hawaii Revised Statute, Volume 9, Chapter 431, Article 3B, Sections 101-306, Insurance Data Security Law)
  • Including audit trails within the information security program designed to detect and respond to a cybersecurity event and designed to reconstruct material financial transactions sufficient to support normal operations and obligations of the licensee. (Sec. 18.(2)(I), Indiana Code, Title 27, Article 2, Chapter 27, Sections 1-32, Insurance Data Security)
  • Include audit trails within the information security program designed to detect and respond to cybersecurity events, and designed to reconstruct material financial transactions sufficient to support the normal business operations and obligations of the licensee. (507F.4 4.b.(9), Iowa Code, Title XIII, Chapter 507F, Sections 1-16, Insurance Data Security)
  • Include audit trails within the information security program designed to detect and respond to cybersecurity events and designed to reconstruct material financial transactions sufficient to support normal operations and obligations of the licensee. (§2504.D.(2)(i), Louisiana Revised Statutes, Title 22, Chapter 21, Sections 2501-2511, Insurance Data Security)
  • Include audit trails within the information security program designed to detect and respond to cybersecurity events and to reconstruct material financial transactions sufficient to support normal operations and obligations of the licensee; (§2264 4.B.(9), Maine Revised Statutes, Title 24-A, Chapter 24-B, Sections 2261-2272, Maine Insurance Data Security Act)
  • Including audit trails within the information security program designed to detect and respond to cybersecurity events and designed to reconstruct material financial transactions sufficient to support normal operations and obligations of the licensee. (Sec. 555.(4)(b)(x), Michigan Compiled Laws, Chapter 5A Sections 550-565, Data Security)
  • include audit trails within the information security program designed to detect and respond to cybersecurity events and designed to reconstruct material financial transactions sufficient to support normal operations and obligations of the licensee; (§ 60A.9851 Subdivision 4(2)(ix), Minnesota Statutes, Chapter 60A, Sections 985 - 9857, Information Security Program)
  • Include audit trails within the information security program designed to detect and respond to cybersecurity events and designed to reconstruct material financial transactions sufficient to support normal operations and obligations of the licensee; (§ 83-5-807 (4)(b)(ix), Mississippi Code Annotated, Title 83, Chapter 5, Article 11, Sections 801 - 825, Insurance Data Security Law)
  • Include audit trails within the information security program designed to detect and respond to cybersecurity events and designed to reconstruct material financial transactions sufficient to support normal operations and obligations of the licensee. (§ 420-P:4 IV.(b)(9), New Hampshire Revised Statutes, Title XXXVIII, Chapter 420-P, Sections 1-14, Insurance Data Security Law)
  • are designed to reconstruct material financial transactions sufficient to support normal operations and obligations of the Covered Entity; and (§ 500.06 Audit Trail (a)(1), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies)
  • are designed to reconstruct material financial transactions sufficient to support normal operations and obligations of the covered entity; and (§ 500.6 Audit Trail (a)(1), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)
  • Include audit trails within the information security program designed to detect and respond to cybersecurity events and designed to reconstruct material financial transactions sufficient to support normal operations and obligations of the licensee; (26.1-02.2-03. 4.b.(9), North Dakota Century Code, Title 26.1, Chapter 26.1‑02.2, Sections 1-11, Insurance Data Security)
  • Include audit trails within the information security program designed to detect and respond to cybersecurity events and designed to reconstruct material financial transactions sufficient to support normal operations and obligations of the licensee; (Section 3965.02 (D)(2)(i), Ohio Revised Code, Title 39, Chapter 3965, Sections 1-11, Cybersecurity Requirements For Insurance Companies)
  • including audit trails within the information security program designed to detect and respond to cybersecurity events and designed to reconstruct material financial transactions sufficient to support normal operations and obligations of the licensee; (SECTION 38-99-20. (D)(2)(i), South Carolina Code of Laws, Title 38, Chapter 99, Sections 10-100, Insurance Data Security Act)
  • Include audit trails within the information security program designed to detect and respond to cybersecurity events and to reconstruct material financial transactions sufficient to support normal operations and obligations of the licensee; (§ 56-2-1004 (4)(B)(ix), Tennessee Code Annotated, Title 56, Chapter 2, Part 10, Sections 1-11, Insurance Data Security Law)
  • Coordinates the security audit function with other organizational entities requiring auditrelated information to enhance mutual support and to help guide the selection of auditable events; (AU-2b., TX-RAMP Security Controls Baseline Level 1)
  • Coordinates the security audit function with other organizational entities requiring auditrelated information to enhance mutual support and to help guide the selection of auditable events; (AU-2b., TX-RAMP Security Controls Baseline Level 2)
  • Include audit trails within the information security program that are designed to detect and respond to cybersecurity events and to reconstruct material financial transactions sufficient to support the normal operations and obligations of the licensee. (§ 601.952(3)(b)9., Wisconsin Statutes, Chapter 601, Subchapter IX, Sections 95-956, Insurance Data Security)