Back

Restrict access to logs to authorized individuals.


CONTROL ID
01342
CONTROL TYPE
Log Management
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a log management program., CC ID: 00673

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Ensuring that privileged users do not have access to systems logs in which their activities are being captured (Critical components of information security 5) (xiii) f), Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • The integrity of the monitoring logs and processes should be safeguarded through appropriate access controls and segregation of duties. (Critical components of information security 17) vii., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Logging activity, with daily administrator review and limiting administrative access to few individuals (Critical components of information security 24) vii. a) ¶ 13 Bullet 7, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Disallow privileged users from accessing systems logs in which their activities are being captured; (§ 11.2.3.f, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The organization should use segregation of duties and access controls to protect the integrity of the monitoring logs. (¶ 70, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • Access controls and segregation of duties would normally be used as a means to safeguard the integrity of the monitoring logs and processes. (¶ 70, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • Providers of high-risk AI systems shall, upon request by a national competent authority, provide that authority with all the information and documentation necessary to demonstrate the conformity of the high-risk AI system with the requirements set out in Chapter 2 of this Title, in an official Union… (Article 23 ¶ 1, Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • provide a national competent authority, upon a reasoned request, with all the information and documentation necessary to demonstrate the conformity of a high-risk AI system with the requirements set out in Chapter 2 of this Title, including access to the logs automatically generated by the high-risk… (Article 25 2(b), Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • Importers shall provide national competent authorities, upon a reasoned request, with all necessary information and documentation to demonstrate the conformity of a high-risk AI system with the requirements set out in Chapter 2 of this Title in a language which can be easily understood by that natio… (Article 26 5., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • App 2 ¶ 14.f: For IT systems that process and access restricted information, the system must make all security records inaccessible to users without a need to know. If the system cannot implement this, the equipment shall be protected by physical means when not in use, such as removing the hard dri… (App 2 ¶ 14.f, App 6 ¶ 15.f, The Contractual process, Version 5.0 October 2010)
  • You hold logging data securely and grant read access only to accounts with business need. No employee should ever need to modify or delete logging data within an agreed retention period, after which it should be deleted. (C1.b ¶ 1, NCSC CAF guidance, 3.1)
  • the purposes of criminal proceedings. (§ 62(4)(d), UK Data Protection Act 2018 Chapter 12)
  • the purposes of criminal proceedings. (§ 62(4)(d), UK Data Protection Act 2018 Chapter 12, Revised 06/06/2022)
  • Are log files protected against malicious access, including any alteration or deletion? (Table Row VII.8, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Who has access to the log files? (Table Row VII.8, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible Description: CloudTrail logs a record of every API call made in your AWS account. These logs file are stored in an S3 bucket. It is recommended that the bucket policy or access control list (ACL) applied to the S3 bucket t… (3.3, CIS Amazon Web Services Foundations Benchmark, v1.4.0, Level 1)
  • Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible Description: CloudTrail logs a record of every API call made in your AWS account. These logs file are stored in an S3 bucket. It is recommended that the bucket policy or access control list (ACL) applied to the S3 bucket t… (3.3, CIS Amazon Web Services Foundations Benchmark, v1.4.0, Level 2)
  • The control system shall provide the capability for authorized humans and/or tools to access audit logs on a read-only basis. (10.3.1 ¶ 1, IEC 62443-3-3: Industrial communication networks – Network and system security – Part 3-3: System security requirements and security levels, Edition 1)
  • The control system shall provide programmatic access to audit records using an application programming interface (API). (10.3.3.1 ¶ 1, IEC 62443-3-3: Industrial communication networks – Network and system security – Part 3-3: System security requirements and security levels, Edition 1)
  • Components shall provide the capability for authorized humans and/or tools to access audit logs on a read-only basis. (10.3.1 ¶ 1, IEC 62443-4-2: Security for industrial automation and control systems – Part 4-2: Technical security requirements for IACS components, Edition 1.0)
  • Components shall provide programmatic access to audit records by either using an application programming interface (API) or sending the audit records to a centralized system. (10.3.3 (1) ¶ 1, IEC 62443-4-2: Security for industrial automation and control systems – Part 4-2: Technical security requirements for IACS components, Edition 1.0)
  • Verify the viewing of log entries is restricted to the entity that owns the log, on a shared hosting provider. (App A Testing Procedures § A.1.2.d, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Appendix A: Additional PCI DSS Requirements for Shared Hosting Providers, 3)
  • Is viewing of log entries restricted to the owning entity? (A.1.2 (d), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Is viewing of log entries restricted to the owning entity? (A1.2(d), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Read access to audit logs files is limited to those with a job-related need. (10.3.1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Examine system configurations and privileges and interview system administrators to verify that current audit log files are protected from modifications by individuals via access control mechanisms, physical segregation, and/or network segregation. (10.3.2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Interview system administrators and examine system configurations and privileges to verify that only individuals with a job-related need have read access to audit log files. (10.3.1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Read access to audit logs files is limited to those with a job-related need. (10.3.1, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Read access to audit logs files is limited to those with a job-related need. (10.3.1, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Read access to audit logs files is limited to those with a job-related need. (10.3.1, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Read access to audit logs files is limited to those with a job-related need. (10.3.1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Restrict audit logs access to authorized personnel and maintain records that provide unique access accountability. (LOG-04, Cloud Controls Matrix, v4.0)
  • Define, implement and evaluate processes, procedures and technical measures to ensure the logging infrastructure is read-only for all with write access, including privileged access roles, and that the ability to disable it is controlled through a procedure that ensures the segregation of duties and … (IAM-12, Cloud Controls Matrix, v4.0)
  • Audit logs recording privileged user access activities, authorized and unauthorized access attempts, system exceptions, and Information Security events shall be retained, complying with applicable policies and regulations. (SA-14, The Cloud Security Alliance Controls Matrix, Version 1.3)
  • Physical and logical user access to audit logs shall be restricted to authorized personnel. (SA-14, The Cloud Security Alliance Controls Matrix, Version 1.3)
  • The organization authorizes access to management of audit functionality to only [Assignment: organization-defined subset of privileged users]. (AU-9(4) ¶ 1, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • The organization authorizes access to management of audit functionality to only [Assignment: organization-defined subset of privileged users]. (AU-9(4) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • On UNIX computers or Linux computers that transmit scoped data, are audit logs protected against inappropriate access? (§ G.16.12, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On UNIX computers or Linux computers that process scoped data, are audit logs protected against inappropriate access? (§ G.16.12, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On UNIX computers or Linux computers that store scoped data, are audit logs protected against inappropriate access? (§ G.16.12, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On windows systems that transmit scoped data, are audit logs protected against inappropriate access? (§ G.17.9, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On windows systems that process scoped data, are audit logs protected against inappropriate access? (§ G.17.9, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On windows systems that store scoped data, are audit logs protected against inappropriate access? (§ G.17.9, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On mainframes that transmit scoped data, are audit logs adequately protected against inappropriate access? (§ G.18.10, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On mainframes that process scoped data, are audit logs adequately protected against inappropriate access? (§ G.18.10, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On mainframes that store scoped data, are audit logs adequately protected against inappropriate access? (§ G.18.10, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On as400 systems that transmit scoped data, are audit logs protected against inappropriate access? (§ G.19.9, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On as400 systems that process scoped data, are audit logs protected against inappropriate access? (§ G.19.9, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On as400 systems that store scoped data, are audit logs protected against inappropriate access? (§ G.19.9, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On open vms (vax or alpha) systems that transmit scoped data, are audit logs protected against inappropriate access? (§ G.20.6, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On open vms (vax or alpha) systems that process scoped data, are audit logs protected against inappropriate access? (§ G.20.6, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • For cloud computing services that use a hypervisor to transmit, process, or store scoped data, are audit logs protected against inappropriate access? (§ V.1.72.10, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • The Records Management Application shall have the capability to view, copy, save, and print the record history file based on user permissions. (§ C4.1.17, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
  • When disabling the audit log is permitted. For each capability specified in paragraphs (d)(2)(i)(A) through (C) of this section that technology permits to be disabled, the ability to do so must be restricted to a limited set of users. (§ 170.315 (d) (2) (iii), 45 CFR Part 170 Health Information Technology Standards, Implementation Specifications, and Certification Criteria and Certification Programs for Health Information Technology, current as of January 2024)
  • When disabling the audit log is permitted. For each capability specified in paragraphs (d)(2)(i)(A) through (C) of this section that technology permits to be disabled, the ability to do so must be restricted to a limited set of users. (§ 170.315 (d) (2) (iii), 45 CFR Part 170, Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology, current as of July 14, 2020)
  • Controls to restrict access to log settings. (App A Objective 15:7b Bullet 3, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • The organization authorizes access to management of audit functionality to only [Assignment: organization-defined subset of privileged users]. (AU-9(4) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization authorizes access to management of audit functionality to only [Assignment: organization-defined subset of privileged users]. (AU-9(4) Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Authorize access to management of audit logging functionality to only [Assignment: organization-defined subset of privileged users or roles]. (AU-9(4) ¶ 1, FedRAMP Security Controls High Baseline, Version 5)
  • Authorize access to management of audit logging functionality to only [Assignment: organization-defined subset of privileged users or roles]. (AU-9(4) ¶ 1, FedRAMP Security Controls Moderate Baseline, Version 5)
  • Authorize access to management of audit logging functionality to only [Assignment: organization-defined subset of privileged users or roles]. (AU-9(4) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Authorize access to management of audit logging functionality to only [Assignment: organization-defined subset of privileged users or roles]. (AU-9(4) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • § 4.2 Bullet 4 Organizations should develop policies that clearly define mandatory requirements and suggested recommendations for who must or should be able to access the log data. § 5.1.3 Bullet 1 Limit access to log files. (§ 4.2 Bullet 4, § 5.1.3 Bullet 1, Guide to Computer Security Log Management, NIST SP 800-92)
  • The organization authorizes access to management of audit functionality to only [Assignment: organization-defined subset of privileged users]. (AU-9(4) ¶ 1 Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization authorizes access to management of audit functionality to only [Assignment: organization-defined subset of privileged users]. (AU-9(4) ¶ 1 High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • There should be a method for tracing all console activities to a user, either manually (e.g., control room sign in) or automatic (e.g., login at the application and/or OS layer). Policies and procedures for what is logged, how the logs are stored (or printed), how they are protected, who has access … (§ 6.2.3 ICS-specific Recommendations and Guidance ¶ 7, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization should limit the number of privileged users who have access to managing the audit functions. (App F § AU-9(4)(a), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization authorizes access to management of audit functionality to only {organizationally documented subset of privileged users}. (AU-9(4), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization authorizes read-only access to audit information to {organizationally documented subset of privileged users}. (AU-9(6), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization authorizes access to management of audit functionality to only {organizationally documented subset of privileged users}. (AU-9(4), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization authorizes access to management of audit functionality to only {organizationally documented subset of privileged users}. (AU-9(4), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization authorizes access to management of audit functionality to only [Assignment: organization-defined subset of privileged users]. (AU-9(4) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The organization authorizes access to management of audit functionality to only [Assignment: organization-defined subset of privileged users]. (AU-9(4) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • The organization authorizes read-only access to audit information to [Assignment: organization-defined subset of privileged users]. (AU-9(6) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization authorizes access to management of audit functionality to only [Assignment: organization-defined subset of privileged users]. (AU-9(4) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Authorize access to management of audit logging functionality to only [Assignment: organization-defined subset of privileged users or roles]. (AU-9(4) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Authorize read-only access to audit information to [Assignment: organization-defined subset of privileged users or roles]. (AU-9(6) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Authorize access to management of audit logging functionality to only [Assignment: organization-defined subset of privileged users or roles]. (AU-9(4) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Authorize read-only access to audit information to [Assignment: organization-defined subset of privileged users or roles]. (AU-9(6) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • The organization authorizes access to management of audit functionality to only [Assignment: organization-defined subset of privileged users]. (AU-9(4) ¶ 1, TX-RAMP Security Controls Baseline Level 2)