>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

SM-01Audit Logging

>Control Description

Organization logs critical information system activity.

Theme

Technology

Type

Detective

Policy/Standard

Logging & Monitoring Standard

>Implementation Guidance

1. Ensure that the Organization's Logging Standard includes logging requirements for critical system activity. 2. Ensure that the following system logging configurations (at the least, but not limited to) for a selection of production systems to determine the following: a. Log aggregation tool is configured for the service. b. Whether the below logs are being sent to the log aggregation tool: i. System OS logs ii. AWS Config (configuration monitoring resource in AWS) iii. Cloud Trail (All account level activity including API calls, IAM role/user) iv. VPC Flow Logs (Showing all network connections to and from a VPC) v. Guard Duty (AWS provided threat detection service) c. PCI Specific - Whether critical information system activity is logged such as the following: i. Access to all audit trails (Covered through CloudTrail) ii. Invalid logical access attempts. iii. Use of and changes to identification and authentication mechanisms, including: All elevation of privileges. All changes, additions, or deletions to any account with root or administrative privileges. iv. Initialization of audit logs v. Stopping or pausing of audit logs vi. Creation and deletion of system level objects vii. Alerts are in place to be triggered when the aforementioned logs are not forwarded/face an error in being sent by the log aggregation tool.

>Testing Procedure

1. Inspect Organization's Logging Standard to determine whether logging requirements are defined for critical system activity. 2. Inspect system logging configurations for a sample of production systems to determine the following: a. Log aggregation tool is configured for the service. b. Whether the below logs are being sent to the log aggregation tool: i. System OS logs ii. AWS Config (configuration monitoring resource in AWS) iii. Cloud Trail (All account level activity including API calls, IAM role/user) iv. VPC Flow Logs (Showing all network connections to and from a VPC) v. Guard Duty (AWS provided threat detection service) c. PCI Specific - Whether critical information system activity is logged such as the following: i. Access to all audit trails (Covered through CloudTrail) ii. Invalid logical access attempts. iii. Use of and changes to identification and authentication mechanisms, including: All elevation of privileges. All changes, additions, or deletions to any account with root or administrative privileges. iv. Initialization of audit logs v. Stopping or pausing of audit logs vi. Creation and deletion of system level objects vii. Alerts are in place to be triggered when the aforementioned logs are not forwarded/face an error in being sent by the log aggregation tool.

>Audit Artifacts

E-SM-01
E-SM-02
E-SM-03

>Framework Mappings

Cross-framework mappings provided by Adobe CCF Open Source under Creative Commons License.

NIST CSF
1

DE.AE-3

CIS Controls
7

1.4
3.14
8.1
8.2
8.5
8.12
+1 more

ISO 27002:2022
2

8.15
5.33

FedRAMP Rev 5
3

AU-02
AU-12
AU-07 (01)

PCI DSS
12

10.2
10.2.1
10.2.1.1
10.2.1.2
10.2.1.3
10.2.1.4
+6 more

HIPAA Security Rule
2

164.312(b)
164.312(c)(2)

SOC 2
1

CC7.1

BSI C5
10

AM-01
DEV-07
IDM-06
OIS-04
OPS-10
OPS-11
+4 more

TX-RAMP
2

AU-12
AU-2

Ask AI

Configure your API key to use AI features.