Back

Archive the audit trail in accordance with compliance requirements.


CONTROL ID
00674
CONTROL TYPE
Log Management
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a log management program., CC ID: 00673

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • The licensed corporation should ensure that (i) it can provide detailed audit trail information in a legible form regarding any access to the Regulatory Records (including read, write and modify) stored by the licensed corporation at the EDSP, and (ii) the audit trail is a complete record of any acc… (7.(e), Circular to Licensed Corporations - Use of external electronic data storage)
  • Audit trails should be secured to ensure the integrity of the information captured, including the preservation of evidence. Retention of audit trails should be in line with business, regulatory and legal requirements. (Critical components of information security 21) ii., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • The organization must establish and maintain logging requirements, including the log retention requirements. (Control: 0580 Bullet 3, Australian Government Information Security Manual: Controls)
  • The organization must keep event logs for at least 7 years after the action is completed in accordance with the national archives of australia's Administrative Functions Disposal Authority. (Control: 0859, Australian Government Information Security Manual: Controls)
  • Audit trails would typically be secured to ensure the integrity of the information captured, including the preservation of evidence. Retention of audit trails would normally be in line with business requirements (including regulatory and legal). (¶ 75, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • Audit logs should be archived for future access, if necessary. (§ 3.7.17, Australian Government ICT Security Manual (ACSI 33))
  • The organization should store the logs of allowed and blocked network activity for at least eighteen (18) months. (Mitigation Strategy Effectiveness Ranking 23, Strategies to Mitigate Targeted Cyber Intrusions)
  • The organization should store the logs of successful and unsuccessful computer events for at least eighteen (18) months. (Mitigation Strategy Effectiveness Ranking 24, Strategies to Mitigate Targeted Cyber Intrusions)
  • Are Internet access (for both web and mail) log files retained for a period of least three months? (Secure configuration Question 23, Cyber Essentials Scheme (CES) Questionnaire, Versions 3.3)
  • Are log files retained for relevant applications on both servers (including DHCP logs) and workstations for a period of at least three months? (Secure configuration Question 22, Cyber Essentials Scheme (CES) Questionnaire, Versions 3.3)
  • Are log files retained for operating systems on both servers and workstations? (Secure configuration Question 21, Cyber Essentials Scheme (CES) Questionnaire, Versions 3.3)
  • when under their control, keep the logs automatically generated by their high-risk AI systems; (Article 16 ¶ 1(d), Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup). (10.7, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup). (10.7, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup). (10.7, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Are audit logs retained for at least one year? (10.7 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
  • Are at least the last three months’ logs immediately available for analysis? (10.7 (c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
  • Are audit logs retained for at least one year? (10.7(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
  • Are audit logs retained for at least one year? (10.7 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.1)
  • Are audit logs retained for at least one year? (10.7(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
  • Are audit logs retained for at least one year? (10.7 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Are audit logs retained for at least one year? (10.7(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Are audit log retention policies and procedures in place and do they require that logs are retained for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup)? (10.7(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Are at least the last three months’ logs immediately available for analysis? (10.7(c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Are audit log retention policies and procedures in place and do they require that logs are retained for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup)? (10.7 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Are audit logs retained for at least one year? (10.7 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Are at least the last three months’ logs immediately available for analysis? (10.7 (c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Are at least the last three months’ logs immediately available for analysis? (10.7(c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Are audit logs retained for at least one year? (10.7(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Are audit log retention policies and procedures in place and do they require that logs are retained for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup)? (10.7(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Examine security policies and procedures to verify that they define the following: - Audit log retention policies - Procedures for retaining audit logs for at least one year, with a minimum of three months immediately available online. (10.7.a, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Interview personnel and examine audit logs to verify that audit logs are retained for at least one year. (10.7.b, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Interview personnel and observe processes to verify that at least the last three months’ logs are immediately available for analysis. (10.7.c, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Retain audit log history for at least 12 months, with at least the most recent three months immediately available for analysis. (10.5.1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Examine configurations of audit log history, interview personnel and examine audit logs to verify that audit logs history is retained for at least 12 months. (10.5.1.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Procedures for retaining audit log history for at least 12 months, with at least the most recent three months immediately available online. (10.5.1.a Bullet 2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Are audit logs retained for at least one year? (PCI DSS Question 10.7(b), PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
  • Are at least the last three months' logs immediately available for analysis? (PCI DSS Question 10.7(c), PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
  • Are audit logs retained for at least one year? (PCI DSS Question 10.7(b), PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
  • Are at least the last three months' logs immediately available for analysis? (PCI DSS Question 10.7(c), PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
  • Are audit log retention policies and procedures in place and do they require that logs are retained for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup)? (PCI DSS Question 10.7(a), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Are audit logs retained for at least one year? (PCI DSS Question 10.7(b), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Are at least the last three months' logs immediately available for analysis? (PCI DSS Question 10.7(c), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Are audit log retention policies and procedures in place and do they require that logs are retained for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup)? (PCI DSS Question 10.7(a), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Are audit logs retained for at least one year? (PCI DSS Question 10.7(b), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Are at least the last three months' logs immediately available for analysis? (PCI DSS Question 10.7(c), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Retain audit log history for at least 12 months, with at least the most recent three months immediately available for analysis. (10.5.1, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Retain audit log history for at least 12 months, with at least the most recent three months immediately available for analysis. (10.5.1, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Retain audit log history for at least 12 months, with at least the most recent three months immediately available for analysis. (10.5.1, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Retain audit log history for at least 12 months, with at least the most recent three months immediately available for analysis. (10.5.1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Security-related event logs should be retained according to retention standards / procedures. (CF.10.04.09b, The Standard of Good Practice for Information Security)
  • Key information relating to system / network monitoring should be retained long enough to meet legal / regulatory requirements (e.g., by archiving the information to portable storage media and storing it in a secure location). (CF.10.05.02, The Standard of Good Practice for Information Security)
  • Key information relating to system / network monitoring should be retained long enough to meet legal / regulatory requirements (e.g., by archiving the information to portable storage media and storing it in a secure location). (CF.10.05.02, The Standard of Good Practice for Information Security, 2013)
  • Security-related event logs should be retained according to retention standards / procedures. (CF.10.04.10c, The Standard of Good Practice for Information Security, 2013)
  • Security-related event logs should be archived regularly (e.g., using a rotation schedule) and digitally signed before being stored. (CF.10.04.10b, The Standard of Good Practice for Information Security, 2013)
  • Ensure the log retention policy is long enough to support in-depth investigations of security incidents, when logs from prior weeks or months might be required. (Action 1.8.3, SANS Computer Security Incident Handling, Version 2.3.1)
  • Ensure that all systems that store logs have adequate storage space for the logs generated on a regular basis, so that log files will not fill up between log rotation intervals. The logs must be archived and digitally signed on a periodic basis. (Control 6.3, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • All logs must be periodically archived and digitally signed. (Critical Control 14.3, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • Logs that record activities, exceptions, faults and other relevant events should be produced, stored, protected and analysed. (§ 8.15 Control, ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls, Third Edition)
  • The organization establishes relevant system logging policies that include the types of logs to be maintained and their retention periods. (DE.CM-1.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • On UNIX computers or Linux computers that store scoped data, are operating system logs retained for at least one year? (§ G.16.9, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • The audit retention time should be determined by the DAA. (§ 2-3.a(1), Army Regulation 380-19: Information Systems Security, February 27, 1998)
  • The organization must keep information system output including, but not limited to system reports, business records, financial and business reports, and audit records, in accordance with federal law and NARA requirements. The output must be kept for a minimum of 90 days, old logs must be archived, a… (CSR 2.1.11, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • (§ 240.17a-4(f)(3)(v)(B), 17 CFR Part 240.17a-4, Records to be preserved by certain exchange members, brokers, and dealers)
  • (§ 240.17Ad-7(f)(4)(II), 17 CFR Part 240.17Ad-7, Record retention)
  • The biometric audit logs must be kept online for 30 days and offline for 1 year. (§ 4.7 ¶ BIO7010, DISA Access Control STIG, Version 2, Release 3)
  • Audit logs for remote access server authentication mechanisms must be stored online for a minimum of 30 days and off line for a minimum of 1 year. (§ 6.2.1, DISA Secure Remote Computing Security Technical Implementation Guide, Version 1 Release 2)
  • Audit logs should be archived on a regular basis to prevent the potential loss of data. (§ 3.9, DISA Windows Server 2003 Security Checklist, Version 6 Release 1.11)
  • The audit logs should be archived to prevent the potential loss of data. (§ 3.1 (1.032), DISA Windows VISTA Security Checklist, Version 6 Release 1.11)
  • Audit logs should be archived on a regular basis to prevent any data from being lost. (§ 3.9, DISA Windows XP Security Checklist, Version 6 Release 1.11)
  • The agency shall retain audit records for at least 1 year and continue to retain them until it is determined they are no longer needed for audit, legal, administrative, or other operational purposes. (§ 5.4.6, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • Retention time frames and storage policies of logs. (App A Objective 15:7b Bullet 5, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • The organization should not destroy or modify the logs. (Pg 34, Exam Tier II Obj B.1, FFIEC IT Examination Handbook - Operations, July 2004)
  • The organization should maintain all telephone recordings of payment orders for a minimum of 30 days. (Pg 19, FFIEC IT Examination Handbook - Wholesale Payment Systems, July 2004)
  • The service provider must keep audit records online for at least 90 days. (Column F: AU-11, FedRAMP Baseline Security Controls)
  • The organization must ensure all audit logs for any systems that contain Federal Tax Information are retained for at least 6 years. (§ 5.6.2, Exhibit 4 AU-11, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Is the administrative access log reviewed, printed, and retained by management? (IT - Firewalls Q 39, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Are the intrusion detection logs archived? (IT - IDS IPS Q 22, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Is the router log activity monitored and kept, if the router is maintained by a third party? (IT - Routers Q 10, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Are the logs maintained for a stated period of time? (IT - Servers Q 17, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Calls for Audit and Accountability (AU): Organizations must: (i) create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity; and (ii) ensure… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • Organizational records and documents and the system configuration should be examined to ensure the audit information is written to hardware-enforced, write-once media. Test the system by generating audit information to ensure it is written to hardware-enforced write-once media. (AU-9(1), AU-9.7, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • Protect archived log files. (§ 5.1.3 Bullet 3, Guide to Computer Security Log Management, NIST SP 800-92)
  • Audit records must be retained for a predetermined period of time to support after-the-fact security incident investigations and to meet organizational and regulatory retention requirements. (App F § AU-11, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization employs {organizationally documented measures} to ensure that long-term audit records generated by the information system can be retrieved. (AU-11(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization employs [Assignment: organization-defined measures] to ensure that long-term audit records generated by the information system can be retrieved. (AU-11(1) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Employ [Assignment: organization-defined measures] to ensure that long-term audit records generated by the system can be retrieved. (AU-11(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Employ [Assignment: organization-defined measures] to ensure that long-term audit records generated by the system can be retrieved. (AU-11(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • All records pertaining to an audit or review should be kept for 7 years. This includes all workpapers, memoranda, communications, and electronic and other records. (§ 210.2-06(a), 17 CFR Part 210.2-06, Retention of Audit and Review Records)