Back

Follow up exceptions and anomalies identified when reviewing logs.


CONTROL ID
11925
CONTROL TYPE
Investigate
CLASSIFICATION
Corrective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Review and update event logs and audit logs, as necessary., CC ID: 00596

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • AIs should implement a process to ensure that the performance of application systems is continuously monitored and exceptions are reported in a timely and comprehensive manner. The performance monitoring process should include forecasting capability to enable problems to be identified and corrected … (5.2.1, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • Error / exception reports and logs need to be reviewed and any issues need to be remedied /addressed at the earliest. (Critical components of information security 11) c.22., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Security personnel and/or administrators designated in this regard should identify anomalies in logs and actively review the anomalies, documenting their findings on an ongoing basis (Critical components of information security 21) v.c., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Logging remote access communications, analyzing them in a timely manner, and following up on anomalies (Critical components of information security 25) iii.h., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Follow up exceptions and anomalies identified during the review process. (10.6.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Follow up exceptions and anomalies identified during the review process. (10.6.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Follow up exceptions and anomalies identified during the review process. (10.6.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Is follow up to exceptions and anomalies identified during the review process performed? (10.6.3 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
  • Is follow up to exceptions and anomalies identified during the review process performed? (10.6.3(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
  • Is follow up to exceptions and anomalies identified during the review process performed? (10.6.3 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.1)
  • Is follow up to exceptions and anomalies identified during the review process performed? (10.6.3(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
  • Are written policies and procedures defined for following up on exceptions and anomalies identified during the review process? (10.6.3 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Is follow up to exceptions and anomalies performed? (10.6.3 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Are written policies and procedures defined for following up on exceptions and anomalies identified during the review process? (10.6.3(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Is follow up to exceptions and anomalies performed? (10.6.3(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Is follow up to exceptions and anomalies performed? (10.6.3 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Is follow up to exceptions and anomalies performed? (10.6.3(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Are written policies and procedures defined for following up on exceptions and anomalies identified during the review process? (10.6.3(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Examine security policies and procedures to verify that procedures are defined for following up on exceptions and anomalies identified during the review process. (10.6.3.a, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Observe processes and interview personnel to verify that follow-up to exceptions and anomalies is performed. (10.6.3.b, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Exceptions and anomalies identified during the review process are addressed. (10.4.3, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Examine security policies and procedures to verify that processes are defined for addressing exceptions and anomalies identified during the review process. (10.4.3.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Observe processes and interview personnel to verify that, when exceptions and anomalies are identified, they are addressed. (10.4.3.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Exceptions and anomalies identified during the review process are addressed. (10.4.3, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Exceptions and anomalies identified during the review process are addressed. (10.4.3, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Exceptions and anomalies identified during the review process are addressed. (10.4.3, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Exceptions and anomalies identified during the review process are addressed. (10.4.3, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Monitor security audit logs to detect activity outside of typical or expected patterns. Establish and follow a defined process to review and take appropriate and timely actions on detected anomalies. (LOG-05, Cloud Controls Matrix, v4.0)
  • Determine whether management has a log management process to use logs to identify, track, analyze, and resolve problems that occur during day-to-day operations. Describe how management collects and collates logs and how management uses logs to respond to issues. Evaluate how management addresses the… (App A Objective 15:7, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Escalation processes for anomalies. (App A Objective 15:7b Bullet 6, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Exception items are controlled and tracked adequately. (App A Tier 2 Objectives and Procedures M.1 Bullet 5, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Review and analyze system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity] and the potential impact of the inappropriate or unusual activity; (AU-6a., FedRAMP Security Controls High Baseline, Version 5)
  • Review and analyze system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity] and the potential impact of the inappropriate or unusual activity; (AU-6a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Review and analyze system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity] and the potential impact of the inappropriate or unusual activity; (AU-6a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Review and analyze system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity] and the potential impact of the inappropriate or unusual activity; (AU-6a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Review and analyze system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity] and the potential impact of the inappropriate or unusual activity; (AU-6a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Review and analyze system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity] and the potential impact of the inappropriate or unusual activity; (AU-6a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Review and analyze system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity] and the potential impact of the inappropriate or unusual activity; (AU-6a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Review and analyze system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity] and the potential impact of the inappropriate or unusual activity; (AU-6a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Review and analyze system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity] and the potential impact of the inappropriate or unusual activity; (AU-6a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)