LOG-01: Logging and Monitoring Policy and Procedures

Control Family:

Logging and Monitoring

Info icon.

Control is new to this version of the control set and incorporates the following items from the previous version: GRM-06: Policy, GRM-09: Policy Reviews.

Control Statement

Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for logging and monitoring. Review and update the policies and procedures at least annually.

Implementation Guidance

The policies and procedures should include considerations regarding:

  1. The purpose, scope, roles, responsibilities, and coordination among organizational entities and training.
  2. How are incidents handled during a security incident?
  3. What information should be logged and monitored, and for how long?
  4. Who is notified in the event of an incident?

Logging and monitoring policies and procedures should capture the following events:

  1. Individual user accesses to systems.
  2. Actions taken by any individual with root or administrative privileges.
  3. Access to all audit logs should be restricted based on need-to-know and least privilege principles.
  4. Invalid access attempts.
  5. Changes, additions, or deletions to accounts with root or administrative privileges.
  6. Use of and changes to identification and authentication mechanisms, including elevation of privilege.
  7. Initializing, stopping, or pausing of the audit logs.
  8. Creation and deletion of system-level objects.

Auditing Guidance

  1. Examine policy and procedures for adequacy, approval, communication, and effectiveness as applicable to planning, delivery and support of the organization's logging and monitoring requirements.
  2. Examine policy and procedures for evidence of review at least annually.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.