Back

Refrain from recording unnecessary restricted data in logs.


CONTROL ID
06318
CONTROL TYPE
Log Management
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a log management program., CC ID: 00673

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Verify that the application does not log other sensitive data as defined under local privacy laws or relevant security policy. (7.1.2, Application Security Verification Standard 4.0.3, 4.0.3)
  • Verify that the application does not log credentials or payment details. Session tokens should only be stored in logs in an irreversible, hashed form. (7.1.1, Application Security Verification Standard 4.0.3, 4.0.3)
  • Avoid recording unneeded sensitive data, such as passwords or privacy related data. (ยง 5.1.3 Bullet 2, Guide to Computer Security Log Management, NIST SP 800-92)