Back

Protect logs from unauthorized activity.


CONTROL ID
01345
CONTROL TYPE
Log Management
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a log management program., CC ID: 00673

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • The organization should protect the audit trails, logs, operation records, and other information against unauthorized access, falsification, and other malicious acts. This can be accomplished by encrypting the information and storing the data on non-rewritable media offline and in a protected place. (T37.3, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • Audit trails, operation records, logs, and other information should be properly protected against falsification, unauthorized access, and other malicious acts by anyone other than duly authorized personnel. (P10.3. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • It is also necessary to prevent abuse by unauthorized action involving work logs and other management documentation of those processes by keeping them under the strict control of managers. (P30.2. ¶ 2, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • The audit trails need to be stored as per a defined period as per any internal/regulatory/statutory requirements and it should be ensured that they are not tampered with. (Critical components of information security 11) c.7., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Audit trails should be secured to ensure the integrity of the information captured, including the preservation of evidence. Retention of audit trails should be in line with business, regulatory and legal requirements. (Critical components of information security 21) ii., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Setting logging parameters to disallow any modification to previously written data (Critical components of information security 21) iii.e., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Banks' networks should be designed to support effective monitoring. Design considerations include network traffic policies that address the allowed communications between computers or groups of computers, security domains that implement the policies, sensor placement to identify policy violations an… (Critical components of information security 17) iii., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • The FI should adequately protect and retain system logs to facilitate any future investigation. When determining the log retention period, the FI should take into account statutory requirements for document retention and protection. (§ 9.6.6, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • Event logs are protected from unauthorised access, modification and deletion. (Security Control: 0586; Revision: 4, Australian Government Information Security Manual, March 2021)
  • PowerShell script block logs are protected by Protected Event Logging functionality (Security Control: 1624; Revision: 0, Australian Government Information Security Manual, March 2021)
  • PowerShell script block logs are protected by Protected Event Logging functionality. (Control: ISM-1624; Revision: 0, Australian Government Information Security Manual, June 2023)
  • Event logs stored within a centralised event logging facility are protected from unauthorised modification and deletion. (Control: ISM-1815; Revision: 0, Australian Government Information Security Manual, June 2023)
  • PowerShell script block logs are protected by Protected Event Logging functionality. (Control: ISM-1624; Revision: 0, Australian Government Information Security Manual, September 2023)
  • Event logs stored within a centralised event logging facility are protected from unauthorised modification and deletion. (Control: ISM-1815; Revision: 0, Australian Government Information Security Manual, September 2023)
  • The database event logs must be protected from unauthorized access, unauthorized deletion, unauthorized modification, or loss. (Control: 1282, Australian Government Information Security Manual: Controls)
  • The organization must establish and maintain logging requirements, including log protection requirements. (Control: 0580 Bullet 3, Australian Government Information Security Manual: Controls)
  • The event logs must be protected against unauthorized access and modification. (Control: 0586 Bullet 1, Australian Government Information Security Manual: Controls)
  • Audit trails would typically be secured to ensure the integrity of the information captured, including the preservation of evidence. Retention of audit trails would normally be in line with business requirements (including regulatory and legal). (¶ 75, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • Audit logs should be protected from unauthorized modifications and unauthorized access. (§ 3.7.17, Australian Government ICT Security Manual (ACSI 33))
  • The generated logs are stored on central logging servers on which they are protected against unauthorised access and changes. Logged data must be deleted immediately once they are no longer required to fufill the purpose. Authentication takes place between the logging servers and the logged assets i… (Section 5.6 RB-13 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Event logs (contents and meta data) are protected against alteration. (e.g. by a dedicated environment). (5.2.4 Requirements (should) Bullet 2, Information Security Assessment, Version 5.1)
  • Data types that are often overlooked include credentials, configuration data, derived metadata and logs. These must also be appropriately protected. (2. ¶ 2, Cloud Security Guidance, 2)
  • to assist with self-monitoring by the controller or (as the case may be) the processor, including the conduct of internal disciplinary proceedings; (§ 62(4)(b), UK Data Protection Act 2018 Chapter 12)
  • to assist with self-monitoring by the controller or (as the case may be) the processor, including the conduct of internal disciplinary proceedings; (§ 62(4)(b), UK Data Protection Act 2018 Chapter 12, Revised 06/06/2022)
  • Are log files protected against malicious access, including any alteration or deletion? (Table Row VII.8, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Protect audit trails from unauthorized modifications. (§ 5.6, The Center for Internet Security AIX Benchmark, 1.0.1)
  • Protect audit trails from unauthorized modifications. (§ 5.4, § 5.5, The Center for Internet Security FreeBSD Benchmark, 1.0.5)
  • Protect audit trails from unauthorized modifications. (§ 7.5, The Center for Internet Security HP-UX Benchmark, 1.4.2)
  • Protect audit trails from unauthorized modifications. (§ 5.3, The Center for Internet Security Red Hat Enterprise Linux Benchmark, 1.0.5)
  • Protect audit trails from unauthorized modifications. (§ 5.3, The Center for Internet Security Red Hat Enterprise Linux Benchmark, 1.1.1)
  • Protect audit trails from unauthorized modifications. (§ 5.3, The Center for Internet Security Slackware Linux Benchmark, 1.1)
  • The system hardening procedure to protect audit trails from unauthorized modifications is called for. (§ 4.9, The Center for Internet Security Solaris 10 Benchmark, 2.1.2)
  • Protect audit trails from unauthorized modifications. (§ 5.9, The Center for Internet Security Solaris Benchmark, 1.5.0)
  • Protect audit trails from unauthorized modifications. (§ 5.3, The Center for Internet Security SuSE Linux Enterprise Server Benchmark, 2)
  • All linked components must be unchangeably linked in the system security audit trail. (¶ 20.1, Good Practices For Computerized systems In Regulated GXP Environments)
  • The control system shall protect audit information and audit tools (if present) from unauthorized access, modification and deletion. (7.11.1 ¶ 1, IEC 62443-3-3: Industrial communication networks – Network and system security – Part 3-3: System security requirements and security levels, Edition 1)
  • Components shall protect audit information, audit logs, and audit tools (if present) from unauthorized access, modification and deletion. (7.11.1 ¶ 1, IEC 62443-4-2: Security for industrial automation and control systems – Part 4-2: Technical security requirements for IACS components, Edition 1.0)
  • Verify that current audit trail files are protected from unauthorized modifications via access control mechanisms, physical segregation, and/or network segregation. (§ 10.5.2, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
  • Interview System Administrators and examine system configurations and permissions to verify audit trails are protected from unauthorized modifications with access control mechanisms, network segregation, and/or physical segregation. (Testing Procedures § 10.5.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Interview System Administrators and examine system configurations and permissions to verify audit trail files are promptly backed up to a centralized log server or media that is difficult to change. (Testing Procedures § 10.5.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Examine the system settings, monitored files, and results from monitoring activities to verify file integrity monitoring software or change detection software is being used on the audit logs. (Testing Procedures § 10.5.5, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Verify that current audit trail files are protected from unauthorized modifications via access control mechanisms, physical segregation, and/or network segregation. (§ 10.5.2 Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • The organization must ensure audit trails are protected from unauthorized modifications. (§ 10.5.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • The organization must ensure audit trails use software to ensure the files cannot be altered without generating an alert. (§ 10.5.5, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Verify the use of file-integrity monitoring or change-detection software for logs by examining system settings and monitored files and results from monitoring activities. (§ 10.5.5 Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Audit trail files must be protected against unauthorized modifications. (PCI DSS Requirements § 10.5.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • File integrity monitoring or change detection software must be used on audit logs to ensure the log data cannot be changed absent sending an alert. (PCI DSS Requirements § 10.5.5, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Secure audit trails so they cannot be altered. (10.5, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Protect audit trail files from unauthorized modifications. (10.5.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Protect audit trail files from unauthorized modifications. (10.5.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Secure audit trails so they cannot be altered. (10.5, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Secure audit trails so they cannot be altered. (10.5, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Protect audit trail files from unauthorized modifications. (10.5.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Are audit trail files protected from unauthorized modifications via access control mechanisms, physical segregation, and/or network segregation? (10.5.2, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
  • Are audit trails secured so they cannot be altered, as follows: (10.5, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Are audit trail files protected from unauthorized modifications via access control mechanisms, physical segregation, and/or network segregation? (10.5.2, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Are audit trails secured so they cannot be altered, as follows: (10.5, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Are audit trail files protected from unauthorized modifications via access control mechanisms, physical segregation, and/or network segregation? (10.5.2, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Are audit trail files protected from unauthorized modifications via access control mechanisms, physical segregation, and/or network segregation? (10.5.2, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Are audit trail files protected from unauthorized modifications via access control mechanisms, physical segregation, and/or network segregation? (10.5.2, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Are audit trails secured so they cannot be altered, as follows: (10.5, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Current audit trail files are protected from unauthorized modifications via access control mechanisms, physical segregation, and/or network segregation. (10.5.2, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Interview system administrators and examine system configurations and permissions to verify that audit trails are secured so that they cannot be altered as follows: (10.5, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Audit log files are protected to prevent modifications by individuals. (10.3.2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Are audit trail files protected from unauthorized modifications via access control mechanisms, physical segregation, and/or network segregation? (PCI DSS Question 10.5.2, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Is file integrity monitoring or change detection software used on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert)? (PCI DSS Question 10.5.5, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Are audit trail files protected from unauthorized modifications via access control mechanisms, physical segregation, and/or network segregation? (PCI DSS Question 10.5.2, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Is file integrity monitoring or change detection software used on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert)? (PCI DSS Question 10.5.5, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Audit log files are protected to prevent modifications by individuals. (10.3.2, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Audit log files are protected to prevent modifications by individuals. (10.3.2, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Audit log files are protected to prevent modifications by individuals. (10.3.2, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Audit log files are protected to prevent modifications by individuals. (10.3.2, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Standards / procedures should cover protection of security-related event logs (e.g., via encryption, Access Control, and back-up). (CF.10.04.02f, The Standard of Good Practice for Information Security)
  • Security-related event logging should be protected from accidental or deliberate modification. (CF.10.04.06b-1, The Standard of Good Practice for Information Security)
  • Security-related event logging should be protected from accidental or deliberate overwriting. (CF.10.04.06b-2, The Standard of Good Practice for Information Security)
  • Standards / procedures should cover protection of security-related event logs (e.g., via encryption, Access Control, and back-up). (CF.10.04.02f, The Standard of Good Practice for Information Security, 2013)
  • Security-related event logging should be protected from accidental or deliberate modification. (CF.10.04.06b-1, The Standard of Good Practice for Information Security, 2013)
  • Security-related event logging should be protected from accidental or deliberate overwriting. (CF.10.04.06b-2, The Standard of Good Practice for Information Security, 2013)
  • The information system protects audit records from unauthorized access, modification, and deletion. (LOG-09, Cloud Controls Matrix, v4.0)
  • Define, implement and evaluate processes, procedures and technical measures to ensure the logging infrastructure is read-only for all with write access, including privileged access roles, and that the ability to disable it is controlled through a procedure that ensures the segregation of duties and … (IAM-12, Cloud Controls Matrix, v4.0)
  • The audit trail should be protected from being deleted or modified by unauthorized personnel. Modifications to the audit configuration should be recorded. (§ 8.5, § 8.6, § C.7, ISO 15408-2 Common Criteria for Information Technology Security Evaluation Part 2, 2008)
  • Logging facilities and log information shall be protected against tampering and unauthorized access. (A.12.4.2 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • System administrator and system operator activities shall be logged and the logs protected and regularly reviewed. (A.12.4.3 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • Audit trails should be protected against unauthorized modifications. (§ 10.10.3, ISO 27002 Code of practice for information security management, 2005)
  • Audit records shall be secure and tamper-proof. Access to system audit tools and audit trails shall be safeguarded to prevent misuse or compromise. (§ 12.4.2 Health-specific control, ISO 27799:2016 Health informatics — Information security management in health using ISO/IEC 27002, Second Edition)
  • System administrator and system operator activities should be logged and the logs protected and regularly reviewed. (§ 12.4.3 Control, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • Logging facilities and log information should be protected against tampering and unauthorized access. (§ 12.4.2 Control, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • Logs that record activities, exceptions, faults and other relevant events should be produced, stored, protected and analysed. (§ 8.15 Control, ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls, Third Edition)
  • Where a cloud service customer is permitted to access log records controlled by the public cloud PII processor, the public cloud PII processor should ensure that the cloud service customer can only access records that relate to that cloud service customer’s activities, and cannot access any log re… (§ 12.4.1 ¶ 6, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
  • Where a cloud service customer is permitted to access log records controlled by the public cloud PII processor, the public cloud PII processor should ensure that the cloud service customer can only access records that relate to that cloud service customer's activities, and cannot access any log reco… (§ 12.4.1 ¶ 6, ISO/IEC 27018:2019, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors, Second edition)
  • The information system protects audit information and audit tools from unauthorized access, modification, and deletion. (AU-9 Control, StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • The information system protects audit information and audit tools from unauthorized access, modification, and deletion. (AU-9 Control, StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • The information system protects audit information and audit tools from unauthorized access, modification, and deletion. (AU-9 Control, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • The information system protects audit information and audit tools from unauthorized access, modification, and deletion. (AU-9 Control, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • On UNIX computers or Linux computers that transmit scoped data, are audit logs protected against modification? (§ G.16.12, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On UNIX computers or Linux computers that process scoped data, are audit logs protected against modification? (§ G.16.12, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On UNIX computers or Linux computers that store scoped data, are audit logs protected against modification? (§ G.16.12, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On windows systems that transmit scoped data, are audit logs protected against modification? (§ G.17.9, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On windows systems that process scoped data, are audit logs protected against modification? (§ G.17.9, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On windows systems that store scoped data, are audit logs protected against modification? (§ G.17.9, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On mainframes that transmit scoped data, are audit logs adequately protected against modification? (§ G.18.10, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On mainframes that process scoped data, are audit logs adequately protected against modification? (§ G.18.10, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On mainframes that store scoped data, are audit logs adequately protected against modification? (§ G.18.10, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On as400 systems that transmit scoped data, are audit logs protected against modification? (§ G.19.9, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On as400 systems that process scoped data, are audit logs protected against modification? (§ G.19.9, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On as400 systems that store scoped data, are audit logs protected against modification? (§ G.19.9, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On open vms (vax or alpha) systems that transmit scoped data, are audit logs protected against modification? (§ G.20.6, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On open vms (vax or alpha) systems that process scoped data, are audit logs protected against modification? (§ G.20.6, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On open vms (vax or alpha) systems that store scoped data, are audit logs protected against modification? (§ G.20.6, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • For cloud computing services that use a hypervisor to transmit, process, or store scoped data, are audit logs protected against modification? (§ V.1.72.10, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • Protect audit information and audit logging tools from unauthorized access, modification, and deletion. (AU.3.049, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
  • Protect audit information and audit logging tools from unauthorized access, modification, and deletion. (AU.3.049, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Protect audit information and audit logging tools from unauthorized access, modification, and deletion. (AU.3.049, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Protect audit information and audit logging tools from unauthorized access, modification, and deletion. (AU.L2-3.3.8 Audit Protection, Cybersecurity Maturity Model Certification, Version 2.0, Level 2)
  • The Records Management Application, in conjunction with the operating environment, shall not allow the editing of the audit logs. (§ C2.2.8.6, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
  • The Records Management Application shall not allow the record history file to be edited. (§ C4.1.17, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
  • The audit trail must be protected against unauthorized modification, unauthorized access, or unauthorized deletion. (ECTP-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • Test to ensure the organization can detect any unauthorized changes in audit trails. (ECTP-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • Audit trails must be protected from unauthorized access, deletion, or modification. (§ 8-602.a, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
  • Audit log protection. Actions and statuses recorded in accordance with paragraph (d)(2)(i) of this section must not be capable of being changed, overwritten, or deleted by the technology. (§ 170.315 (d) (2) (iv), 45 CFR Part 170 Health Information Technology Standards, Implementation Specifications, and Certification Criteria and Certification Programs for Health Information Technology, current as of January 2024)
  • Audit log protection. Actions and statuses recorded in accordance with paragraph (d)(2)(i) of this section must not be capable of being changed, overwritten, or deleted by the technology. (§ 170.315 (d) (2) (iv), 45 CFR Part 170, Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology, current as of July 14, 2020)
  • Complete electronic health records (EHRs) or EHR modules must be capable of detecting the alteration of audit logs electronically, unless designated as optional, and in accordance with the applicable standards and implementation specifications. (§ 170.302(s)(3), 45 CFR Part 170, Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology, Final Rule)
  • The Information System shall protect the audit information and the audit tools from deletion, unauthorized access, and modification. (§ 5.4.5, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The agency's information system shall protect audit information and audit tools from modification, deletion and unauthorized access. (§ 5.4.5 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • The agency's information system shall protect audit information and audit tools from modification, deletion and unauthorized access. (§ 5.4.5 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Implementation of controls to protect logs. (App A Objective 15:7e, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Logs should be reviewed periodically to ensure they are complete and have not been deleted, overwritten, modified, or compromised. (Pg 34, FFIEC IT Examination Handbook - Operations, July 2004)
  • The information system protects audit information and audit tools from unauthorized access, modification, and deletion. (AU-9 High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The information system protects audit information and audit tools from unauthorized access, modification, and deletion. (AU-9 Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The information system protects audit information and audit tools from unauthorized access, modification, and deletion. (AU-9 Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and (AU-9a., FedRAMP Security Controls High Baseline, Version 5)
  • Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and (AU-9a., FedRAMP Security Controls Low Baseline, Version 5)
  • Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and (AU-9a., FedRAMP Security Controls Moderate Baseline, Version 5)
  • § 5.6.2, Exhibit 4 AU-9 The organization must protect all audit information from unauthorized modification, unauthorized access, and deletion. Exhibit 9 Event 16 Audit trails must be protected against unauthorized use, unauthorized access, unauthorized modification, and deletion. (§ 5.6.2, Exhibit 4 AU-9, Exhibit 9 Event 16, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Audit log file ownership should be restricted. Technical Mechanisms: /var/audit/* Parameters: user References: Section: 4.9,Value:root (CCE-4126-9, Common Configuration Enumeration List, Combined XML: Sun Solaris 10, 5.20130214)
  • Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and (AU-9a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and (AU-9a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and (AU-9a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • The configuration of the system should be examined to ensure auditing information and auditing tools are protected from unauthorized access, modification, and deletion. Organizational records and documents should be examined to ensure specific responsibilities and actions are defined for the impleme… (AU-9, AU-9.2, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • Organizations should develop policies that clearly define mandatory requirements and suggested recommendations for how the confidentiality, integrity, and availability of each type of log data must or should be protected while in transit, including whether a separate logging network should be used. (§ 4.2 Bullet 2, Guide to Computer Security Log Management, NIST SP 800-92)
  • The information system protects audit information and audit tools from unauthorized access, modification, and deletion. (AU-9 Control: Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The information system protects audit information and audit tools from unauthorized access, modification, and deletion. (AU-9 Control: Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The information system protects audit information and audit tools from unauthorized access, modification, and deletion. (AU-9 Control: High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • There should be a method for tracing all console activities to a user, either manually (e.g., control room sign in) or automatic (e.g., login at the application and/or OS layer). Policies and procedures for what is logged, how the logs are stored (or printed), how they are protected, who has access … (§ 6.2.3 ICS-specific Recommendations and Guidance ¶ 7, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The smart grid Information System must protect audit tools and audit information from unauthorized modification, unauthorized access, and unauthorized deletion. (SG.AU-9 Requirement, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should protect the information that is collected from intrusion monitoring tools from unauthorized modification, unauthorized access, and unauthorized deletion. (SG.SI-4 Additional Considerations A2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • Protect audit information and audit tools from unauthorized access, modification, and deletion. (3.3.8, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171)
  • Protect audit information and audit logging tools from unauthorized access, modification, and deletion. (3.3.8, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 1)
  • Protect audit information and audit logging tools from unauthorized access, modification, and deletion. (3.3.8, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 2)
  • Audit information and audit tools must be protected against unauthorized access, deletion, and modification. (App F § AU-9, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should protect information received from the intrusion monitoring tools against unauthorized access, unauthorized modification, and unauthorized deletion. (App F § SI-4(8), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The information system protects audit information and audit tools from unauthorized access, modification, and deletion. (AU-9 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system protects audit information and audit tools from unauthorized access, modification, and deletion. (AU-9 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system protects audit information and audit tools from unauthorized access, modification, and deletion. (AU-9 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system protects audit information and audit tools from unauthorized access, modification, and deletion. (AU-9 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system protects audit information and audit tools from unauthorized access, modification, and deletion. (AU-9 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The information system protects audit information and audit tools from unauthorized access, modification, and deletion. (AU-9 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • The information system protects audit information and audit tools from unauthorized access, modification, and deletion. (AU-9 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • The information system protects audit information and audit tools from unauthorized access, modification, and deletion. (AU-9 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and (AU-9a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and (AU-9a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • The information system protects audit information and audit tools from unauthorized access, modification, and deletion. (AU-9 Control, TX-RAMP Security Controls Baseline Level 1)
  • The information system protects audit information and audit tools from unauthorized access, modification, and deletion. (AU-9 Control, TX-RAMP Security Controls Baseline Level 2)