Back

Establish, implement, and maintain a log management program.


CONTROL ID
00673
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a compliance monitoring policy., CC ID: 00671

This Control has the following implementation support Control(s):
  • Deploy log normalization tools, as necessary., CC ID: 12141
  • Restrict access to logs to authorized individuals., CC ID: 01342
  • Restrict access to audit trails to a need to know basis., CC ID: 11641
  • Refrain from recording unnecessary restricted data in logs., CC ID: 06318
  • Back up audit trails according to backup procedures., CC ID: 11642
  • Back up logs according to backup procedures., CC ID: 01344
  • Copy logs from all predefined hosts onto a log management infrastructure., CC ID: 01346
  • Protect logs from unauthorized activity., CC ID: 01345
  • Perform testing and validating activities on all logs., CC ID: 06322
  • Archive the audit trail in accordance with compliance requirements., CC ID: 00674
  • Enforce dual authorization as a part of information flow control for logs., CC ID: 10098
  • Preserve the identity of individuals in audit trails., CC ID: 10594
  • Establish, implement, and maintain a cross-organizational audit sharing agreement., CC ID: 10595


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The licensed corporation should ensure that (i) it can provide detailed audit trail information in a legible form regarding any access to the Regulatory Records (including read, write and modify) stored by the licensed corporation at the EDSP, and (ii) the audit trail is a complete record of any acc… (7.(e), Circular to Licensed Corporations - Use of external electronic data storage)
  • Logging the data to write-only media like a write-once/read-many (WORM) disk or drive (Critical components of information security 21) iii.d., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • are configured to save logs to a secure logging facility (Security Control: 0631; Revision: 6; Bullet 5, Australian Government Information Security Manual, March 2021)
  • All temporary installation files and logs are removed after DBMS software has been installed. (Security Control: 1245; Revision: 2, Australian Government Information Security Manual, March 2021)
  • The organization should secure the audit trails to ensure its integrity and that the evidence is preserved. (¶ 75, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • Is there a corporate policy on log retention and the centralised storage and management of log information? (Secure configuration Question 20, Cyber Essentials Scheme (CES) Questionnaire, Versions 3.3)
  • App 2 ¶ 14.f: For IT systems that process and access restricted information, the system shall be able to provide the system manager a hard copy of all or selected accounting records and be able to print them in an easily readable format. This is applicable to UK contractors. App 6 ¶ 15.f: For IT s… (App 2 ¶ 14.f, App 6 ¶ 15.f, The Contractual process, Version 5.0 October 2010)
  • You hold logging data securely and grant read access only to accounts with business need. No employee should ever need to modify or delete logging data within an agreed retention period, after which it should be deleted. (C1.b ¶ 1, NCSC CAF guidance, 3.1)
  • Verify the shared hosting provider has clearly communicated the log locations to the owning entity. (App A Testing Procedures § A.1.3 Bullet 4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Appendix A: Additional PCI DSS Requirements for Shared Hosting Providers, 3)
  • Ensure that all trails are secured so they cannot be altered. (§ 10.5, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Interview system administrator and examine permissions to verify that audit trails are secured so that they cannot be altered as follows: (§ 10.5 Tesitng Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Audit trails must be secured to prevent them from being altered. (PCI DSS Requirements § 10.5, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Are at least the last three months’ logs immediately available for analysis? (10.7(c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
  • Are at least the last three months’ logs immediately available for analysis? (10.7 (c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.1)
  • Are at least the last three months’ logs immediately available for analysis? (10.7(c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
  • In order to operate a system, administrative access is required. IT auditors should ensure system administrators only have access required to perform their job responsibilities. Consideration also should be given to preventing administrative personnel from deleting audit trail data, if possible. (App A.7, IIA Global Technology Audit Guide (GTAG) 4: Management of IT Auditing)
  • Standards / procedures should cover storage of security-related events inside event logs (e.g., using local systems, central servers, or by using storage furnished by an external service provider). (CF.10.04.02d, The Standard of Good Practice for Information Security)
  • Standards / procedures should cover storage of security-related events inside event logs (e.g., using local systems, central servers, or by using storage furnished by an external service provider). (CF.10.04.02d, The Standard of Good Practice for Information Security, 2013)
  • Define, implement and evaluate processes, procedures and technical measures to ensure the logging infrastructure is read-only for all with write access, including privileged access roles, and that the ability to disable it is controlled through a procedure that ensures the segregation of duties and … (IAM-12, Cloud Controls Matrix, v4.0)
  • Establish and maintain an audit log management process that defines the enterprise's logging requirements. At a minimum, address the collection, review, and retention of audit logs for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that coul… (CIS Control 8: Safeguard 8.1 Establish and Maintain an Audit Log Management Process, CIS Controls, V8)
  • Audit Trails. It is important to ensure the effectiveness of network security through detection, investigation and reporting of security incidents. Sufficient audit trail information of error conditions and valid events should be recorded to enable thorough review for suspected, and of actual, incid… (¶ 13.4, ISO 13335-5 Information technology - Guidelines for the management of IT Security - Part 5: Management guidance on network security, 2001)
  • The public cloud PII processor should define criteria regarding if, when and how log information can be made available to or usable by the cloud service customer. These procedures should be made available to the cloud service customer. (§ 12.4.1 ¶ 5, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • The public cloud PII processor should define criteria regarding if, when and how log information can be made available to or usable by the cloud service customer. These procedures should be made available to the cloud service customer. (§ 12.4.1 ¶ 5, ISO/IEC 27018:2019, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors, Second edition)
  • The organization must use automated mechanisms for recording audit information and restrict recording audit information to hardware-enforced, "write-once" media. (CSR 2.1.6, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • (§ 240.17a-4(f)(3)(v)(A), 17 CFR Part 240.17a-4, Records to be preserved by certain exchange members, brokers, and dealers)
  • (§ 240.17Ad-7(f)(4)(I), 17 CFR Part 240.17Ad-7, Record retention)
  • The information assurance officer must ensure the file permissions and the storage of biometric audit logs is not less secure than the Operating System audit logs on the system that the biometric software is on. (§ 4.7 ¶ BIO7010, DISA Access Control STIG, Version 2, Release 3)
  • Limit management of audit logging functionality to a subset of privileged users. (AU.3.050, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
  • Limit management of audit logging functionality to a subset of privileged users. (AU.3.050, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Limit management of audit logging functionality to a subset of privileged users. (AU.3.050, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Limit management of audit logging functionality to a subset of privileged users. (AU.L2-3.3.9 Audit Management, Cybersecurity Maturity Model Certification, Version 2.0, Level 2)
  • Technology must be able to detect whether the audit log has been altered. (§ 170.315 (d) (10) (iv), 45 CFR Part 170 Health Information Technology Standards, Implementation Specifications, and Certification Criteria and Certification Programs for Health Information Technology, current as of January 2024)
  • Technology must be able to detect whether the audit log has been altered. (§ 170.315 (d) (10) (iv), 45 CFR Part 170, Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology, current as of July 14, 2020)
  • Determine whether management has a log management process to use logs to identify, track, analyze, and resolve problems that occur during day-to-day operations. Describe how management collects and collates logs and how management uses logs to respond to issues. Evaluate how management addresses the… (App A Objective 15:7, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Implementation of policies, standards, and procedures for log management activities that address the following: (App A Objective 15:7b, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Determine whether management has an effective log management process that involves a central logging repository, timely transmission of log files, and effective log analysis. Review whether management has the following: (App A Objective 6.35, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • (§ 3.13.2, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996)
  • The smart grid Information System must protect itself against an individual from falsely denying that they performed an action. (SG.AU-16 Requirement, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • Limit management of audit functionality to a subset of privileged users. (3.3.9, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171)
  • Limit management of audit logging functionality to a subset of privileged users. (3.3.9, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 1)
  • Limit management of audit logging functionality to a subset of privileged users. (3.3.9, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 2)
  • The records pertaining to an audit or review should be available for 7 years. (§ 210.2-06(a), 17 CFR Part 210.2-06, Retention of Audit and Review Records)