Back

Make logs available for review by the owning entity.


CONTROL ID
12046
CONTROL TYPE
Log Management
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain logging and monitoring operations., CC ID: 00637

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • In instances where processing systems and related audit trails are the responsibility of a third-party service provider, the bank should ensure that it has access to relevant audit trails maintained by the service provider apart from ensuring that the audit trails maintained by the service provider … (Critical components of information security 21) viii., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Upon request of the cloud customer, the cloud provider makes the logs affecting them available promptly and in an appropriate form so that they can examine the incidents affecting them themselves. (Section 5.6 RB-14 Description of additional requirements (confidentiality) ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • To monitor the data backup, the cloud customer is provided with the relevant logs or the summary of the results via a self-service portal. (Section 5.6 RB-07 Description of additional requirements (availability) ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • You should be provided with the audit records needed to monitor access to your service and the data held within it. The type of audit information available to you will have a direct impact on your ability to detect and respond to inappropriate or malicious activity within reasonable timescales. (13. ¶ 1, Cloud Security Guidance, 1.0)
  • You should be provided with the audit records needed to monitor access to your service and the data held within it. (13: ¶ 1, Cloud Security Guidance, 1.0)
  • Providers should supply logs needed to monitor access to your service, and the data held within it. (13. ¶ 1, Cloud Security Guidance, 2)
  • The control system shall provide the capability to centrally manage audit events and to compile audit records from multiple components throughout the control system into a system- wide (logical or physical), time-correlated audit trail. The control system shall provide the capability to export these… (6.10.3.1 ¶ 1, IEC 62443-3-3: Industrial communication networks – Network and system security – Part 3-3: System security requirements and security levels, Edition 1)
  • Are at least the last three months’ logs immediately available for analysis? (10.7 (c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Logs are available for review by the owning entity? (A.1.3 (b) Bullet 3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Logs are available for review by the owning entity? (A1.3(b) Bullet 3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Logs are available for review only by the owning customer. (A1.2.1 Bullet 3, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Log data and availability is consistent with PCI DSS Requirement 10. (A1.2.1 Bullet 5, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Retain audit log history for at least 12 months, with at least the most recent three months immediately available for analysis. (10.5.1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Procedures for retaining audit log history for at least 12 months, with at least the most recent three months immediately available online. (10.5.1.a Bullet 2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Interview personnel and observe processes to verify that at least the most recent three months' audit log history is immediately available for analysis. (10.5.1.c, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Retain audit log history for at least 12 months, with at least the most recent three months immediately available for analysis. (10.5.1, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Retain audit log history for at least 12 months, with at least the most recent three months immediately available for analysis. (10.5.1, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Retain audit log history for at least 12 months, with at least the most recent three months immediately available for analysis. (10.5.1, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Retain audit log history for at least 12 months, with at least the most recent three months immediately available for analysis. (10.5.1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Logs are available for review only by the owning customer. (A1.2.1 Bullet 3, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Log data and availability is consistent with PCI DSS Requirement 10. (A1.2.1 Bullet 5, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • The public cloud PII processor should define criteria regarding if, when and how log information can be made available to or usable by the cloud service customer. These procedures should be made available to the cloud service customer. (§ 12.4.1 ¶ 5, ISO/IEC 27018:2019, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors, Second edition)
  • Upon request by the Mission Owner, the CSP will make all Mission Owner data stored in a CSO available for electronic transfer out of the CSP environment in a standard, non-proprietary format. CSPs must also make available all audit logs relevant to the Mission Owner's use of the CSO. This includes a… (Section 5.8 ¶ 2, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Enable a user to provide electronic feedback data for evidence-based decision support interventions selected via the capability provided in paragraph (b)(11)(iii)(A) of this section and make available such feedback data to a limited set of identified users for export, in a computable format, includi… (§ 170.315 (b) (11) (ii) (C), 45 CFR Part 170 Health Information Technology Standards, Implementation Specifications, and Certification Criteria and Certification Programs for Health Information Technology, current as of January 2024)
  • Log records are generated and made available for continuous monitoring (PR.PS-04, The NIST Cybersecurity Framework, v2.0)