Objective: Event logs support the traceability of events in case of a security incident. This requires that events necessary to determine the causes are recorded and stored. In addition, the logging and analysis of activities in accordance with applicable legislation (e.g. Data Protection or Works Constitution Act) is required to determine which user account has made changes to IT systems.
Requirements (must): Information security requirements regarding the handling of event logs are determined and fulfilled.
Security-relevant requirements regarding the logging of activities of system administrators and users are determined and fulfilled.
The IT systems used are assessed regarding the necessity of logging.
When using external IT services, information on the monitoring options is obtained and considered in the assessment.
Event logs are checked regularly for rule violations and noticeable problems in compliance with the permissible legal and organizational provisions.
Requirements (should): A procedure for the escalation of relevant events to the responsible body (e.g. security incident report, data protection, corporate security, IT security) is defined and established.
Event logs (contents and meta data) are protected against alteration. (e.g. by a dedicated environment).
Adequate monitoring and recording of any actions on the network that are relevant to information security are established.
The development of system logs must keep pace with the development of the system and enable, for example, the necessary resolution of incidents. In connection with the data system list, we describe for which systems we are responsible for the implementation of the logging. For these systems, we document:
The organization must have measures and operating methods for the safe storage of incoming information, information being processed and outgoing information. Storage should take into account:
All stored information must be protected against theft, modification and destruction or any other event that affects their confidentiality, integrity or availability.
The organization must be aware of the logs that accrue from the use of different data systems, whether generating the logs is the responsibility of the organization or the system provider. Logs record user actions as well as anomalies, errors, and security incidents.
The adequacy of log should be reviewed regularly. If necessary, log should be usable to determine the root causes for system incidents.
Security systems (e.g. firewall, malware protection) often have the ability to record a log of events. At regular intervals, make sure that a comprehensive log is accumulated and try to identify suspicious activity. The log is also useful in investigating disturbances or violations.
The organization must have a procedure for reviewing event logs for rule violations and other noticeable problems with in compliance with legal and organizational provisions.
The organization should also protect the integrity of the event logs (e.g. by separate environment).
System logs often contain a wealth of information, much of which is irrelevant to security monitoring. In order to identify events relevant to security monitoring, consideration should be given to automatically copying appropriate message types to another log or to using appropriate utilities or audit tools to review and resolve files.
In Cyberday, all frameworks’ requirements are mapped into universal tasks, so you achieve multi-framework compliance effortlessly.
.png)
Elevate Your Knowledge with Exclusive Access to Weekly Webinars, Video Courses, Help Articles, and Blogs.
