Back

Define and assign log management roles and responsibilities.


CONTROL ID
06311
CONTROL TYPE
Establish Roles
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain logging and monitoring operations., CC ID: 00637

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • All application systems need to be tested before implementation in a robust manner regarding controls to ensure that they satisfy business policies/rules of the bank and regulatory and legal prescriptions/requirements. Robust controls need to be built into the system and reliance on any manual contr… (Critical components of information security 11) c.3., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • The organization should assign responsibility for monitoring on a regular basis. (¶ 67, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • APRA envisages that a regulated institution would establish a clear allocation of responsibility for regular monitoring, with appropriate processes and tools in place to manage the volume of monitoring required, thereby reducing the risk of an incident going undetected. (¶ 67, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • Security event log management should include defining roles and responsibilities. (CF.10.04.03-2, The Standard of Good Practice for Information Security)
  • Security event log management should include defining roles and responsibilities. (CF.10.04.03-2, The Standard of Good Practice for Information Security, 2013)
  • who shall analyse and evaluate these results. (§ 9.1 ¶ 2 f), ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • The organization has established and assigned roles and responsibilities for systematic monitoring and reporting processes. (DE.DP-1.1, CRI Profile, v1.2)
  • The organization has established and assigned roles and responsibilities for systematic monitoring and reporting processes. (DE.DP-1.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The organization specifies the permitted actions for each [Selection (one or more): information system process; role; user] associated with the review, analysis, and reporting of audit information. (AU-6(7) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The organization must ensure that security personnel who are responsible for administering access control do not perform auditing functions. (CSR 2.1.6, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • The Records Management Application shall have the capability for only authorized individuals to determine which objects and actions from section c2.2.8.1 are audited. (§ C2.2.8.2, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
  • The Records Management Application, in conjunction with the operating environment, shall allow the export and/or backup and removal of audit files from the system by authorized individuals only. (§ C2.2.8.5, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
  • The responsibilities of the authorized individuals referred to in section c2.2.8.2 (determining which objects and named actions to audit) shall be accomplished by an Application Administrator (managing the audits). (Table C2.T5 Requirement 2.2.8.2, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
  • The responsibilities of the authorized individuals referred to in section c2.2.8.5 (exporting, backing up, and removing audit files from the system) shall be accomplished by an Application Administrator (exporting, backing up, and removing audit files) or a records manager (filing audit logs as reco… (Table C2.T5 Requirement C2.2.8.5, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
  • If technology permits auditing to be disabled, the ability to do so must be restricted to a limited set of users. (§ 170.315 (d) (10) (ii), 45 CFR Part 170 Health Information Technology Standards, Implementation Specifications, and Certification Criteria and Certification Programs for Health Information Technology, current as of January 2024)
  • If technology permits auditing to be disabled, the ability to do so must be restricted to a limited set of users. (§ 170.315 (d) (10) (ii), 45 CFR Part 170, Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology, current as of July 14, 2020)
  • Determine whether the institution has a well-defined role for the implementation and use of information systems reporting and that it produces accurate and useful reports. Determine the effectiveness of the reports used by senior management or relevant management committees to supervise and monitor … (App A Objective 3:5, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • The organization specifies the permitted actions for each [FedRAMP Selection (one or more): information system process; role; user] associated with the review, analysis, and reporting of audit information. (AU-6(7) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Specify the permitted actions for each [FedRAMP Assignment: information system process; role; user] associated with the review, analysis, and reporting of audit record information. (AU-6(7) ¶ 1, FedRAMP Security Controls High Baseline, Version 5)
  • Is the router configuration reviewed and/or kept by internal employees, when the router is maintained by a third party? (IT - Routers Q 7, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Is the router configuration reviewed and/or kept by authorized internal employees? (IT - Routers Q 20, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Is there a specific individual or group who is responsible for overseeing the system audit review? (IT - Security Program Q 27, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • As part of the log management planning process, an organization should define the roles and responsibilities of individuals and teams who are expected to be involved in log management. (§ 4.1, Guide to Computer Security Log Management, NIST SP 800-92)
  • The organization specifies the permitted actions for each [Selection (one or more): information system process; role; user] associated with the review, analysis, and reporting of audit information. (AU-6(7) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Specify the permitted actions for each [Selection (one or more): system process; role; user] associated with the review, analysis, and reporting of audit record information. (AU-6(7) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Specify the permitted actions for each [Selection (one or more): system process; role; user] associated with the review, analysis, and reporting of audit record information. (AU-6(7) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)