>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

SM-14Log-tampering Detection

>Control Description

Organization monitors and flags tampering to the audit logging and monitoring tools in the production environment.

Theme

Technology

Type

Detective

Policy/Standard

Logging & Monitoring Standard

>Implementation Guidance

1. Ensure Organization's Security Monitoring Standard to include requirements for monitoring and flagging, tampering to the audit logging and monitoring tools in the production environment. 2. Ensure specific mechanisms to monitor and flag tampering to the audit logging and monitoring tools in the production environment are defined and documented. 3. Ensure appropriate mechanisms are implemented for protecting integrity of logs and to prevent/detect logs from being modified/tampered at the storage location. Additionally, ensure such activities are recorded and controlled. 4. Restrict and control administrative permissions to manage and modify audit logs to authorized personnel only. 5. Ensure all administrative and operational activities are logged and events are captured to trace back to a particular user in case of any modifications/tampering performed. 6. Replicate and store all applicable logs on a centralized server and restrict access to only authorized personnel.

>Testing Procedure

1. Obtain relevant organizational policy/standard and ensure defined process regarding enabling audit logging and monitoring are adhered to. 2. Validate specific mechanisms to monitor and flag tampering to the audit logging and monitoring tools in the production environment are defined and documented. 3. Validate whether appropriate mechanisms are implemented to protect the integrity of logs and to prevent/detect logs from being modified/tampered at the storage location. Additionally, ensure such activities are recorded and controlled. 4. Inspect whether administrative permissions to manage and modify audit logs are restricted to authorized personnel only. 5. For a sample of events, inspect whether all administrative and operational activities are logged and events are captured to trace back to a particular user in case of any modifications/tampering performed. 6. Validate whether all applicable logs are replicated and stored on a centralized server and access is restricted to only authorized personnel,

>Audit Artifacts

E-SM-10
E-SM-11
E-SM-13
E-SM-04

>Framework Mappings

Cross-framework mappings provided by Adobe CCF Open Source under Creative Commons License.

CIS Controls
1

13.1

FedRAMP Rev 5
1

CA-07 (01)

PCI DSS
5

10.3
10.3.1
10.3.2
10.3.3
10.3.4

Ask AI

Configure your API key to use AI features.