CT.DM-P8: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy and incorporating the principle of data minimization
CSF v1.1 References:
Threats Addressed:
Description
[csf.tools Note: Subcategories do not have detailed descriptions.]
Related Controls
NIST Special Publication 800-53 Revision 5
AU-1: Policy and Procedures
Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Assignment (one or more): organization-level, mission/business process-level, system-level] audit and accountability policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and Procedures to facilitate the…
AU-2: Event Logging
Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: organization-defined event types that the system is capable of logging]; Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; Specify the…
AU-3: Content of Audit Records
Ensure that audit records contain information that establishes the following: What type of event occurred; When the event occurred; Where the event occurred; Source of the event; Outcome of the event; and Identity of any individuals, subjects, or objects/entities associated with the event.
AU-6: Audit Record Review, Analysis, and Reporting
Review and analyze system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity] and the potential impact of the inappropriate or unusual activity; Report findings to [Assignment: organization-defined personnel or roles]; and Adjust the level of audit record review, analysis, and reporting within the system when there is a change…
AU-7: Audit Record Reduction and Report Generation
Provide and implement an audit record reduction and report generation capability that: Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and Does not alter the original content or time ordering of audit records.
AU-12: Audit Record Generation
Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on [Assignment: organization-defined system components]; Allow [Assignment: organization-defined personnel or roles] to select the event types that are to be logged by specific components of the system; and Generate audit records for the event types defined…
AU-13: Monitoring for Information Disclosure
Monitor [Assignment: organization-defined open-source information and/or information sites] [Assignment: organization-defined frequency] for evidence of unauthorized disclosure of organizational information; and If an information disclosure is discovered: Notify [Assignment: organization-defined personnel or roles]; and Take the following additional actions: [Assignment: organization-defined additional actions].
AU-14: Session Audit
Provide and implement the capability for [Assignment: organization-defined users or roles] to [Assignment (one or more): record, view, hear, log] the content of a user session under [Assignment: organization-defined circumstances]; and Develop, integrate, and use session auditing activities in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards,…
AU-16: Cross-organizational Audit Logging
Employ [Assignment: organization-defined methods] for coordinating [Assignment: organization-defined audit information] among external organizations when audit information is transmitted across organizational boundaries.
Cloud Controls Matrix v3.0.1
AAC-01: Audit Planning
Audit plans shall be developed and maintained to address business process disruptions. Auditing plans shall focus on reviewing the effectiveness of the implementation of security operations. All audit activities must be agreed upon prior to executing any audits.
AAC-02: Independent Audits
Independent reviews and assessments shall be performed at least annually to ensure that the organization addresses nonconformities of established policies, standards, procedures, and compliance obligations.
IAM-02: Credential Lifecycle / Provision Management
User access policies and procedures shall be established, and supporting business processes and technical measures implemented, for ensuring appropriate identity, entitlement, and access management for all internal corporate and customer (tenant) users with access to data and organizationally-owned or managed (physical and virtual) application interfaces and infrastructure network and systems components. These policies, procedures, processes,…
IVS-01: Audit Logging / Intrusion Detection
Higher levels of assurance are required for protection, retention, and lifecycle management of audit logs, adhering to applicable legal, statutory or regulatory compliance obligations and providing unique user access accountability to detect potentially suspicious network behaviors and/or file integrity anomalies, and to support forensic investigative capabilities in the event of a security breach.
IVS-03: Clock Synchronization
A reliable and mutually agreed upon external time source shall be used to synchronize the system clocks of all relevant information processing systems to facilitate tracing and reconstitution of activity timelines.
STA-09: Third Party Audits
Third-party service providers shall demonstrate compliance with information security and confidentiality, access control, service definitions, and delivery level agreements included in third-party contracts. Third-party reports, records, and services shall undergo audit and review at least annually to govern and maintain compliance with the service delivery agreements.
Critical Security Controls Version 8
8: Audit Log Management
Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.
NIST Special Publication 800-53 Revision 4
AU-1: Audit And Accountability Policy And Procedures
The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and Reviews and updates the current:…
AU-2: Audit Events
The organization: Determines that the information system is capable of auditing the following events: [Assignment: organization-defined auditable events]; Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events; Provides a rationale for why the auditable events are deemed to be…
AU-3: Content Of Audit Records
The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.
AU-6: Audit Review, Analysis, And Reporting
The organization: Reviews and analyzes information system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity]; and Reports findings to [Assignment: organization-defined personnel or roles].
AU-7: Audit Reduction And Report Generation
The information system provides an audit reduction and report generation capability that: Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and Does not alter the original content or time ordering of audit records.
AU-12: Audit Generation
The information system: Provides audit record generation capability for the auditable events defined in AU-2 a. at [Assignment: organization-defined information system components]; Allows [Assignment: organization-defined personnel or roles] to select which auditable events are to be audited by specific components of the information system; and Generates audit records for the events defined in AU-2 d.…
AU-13: Monitoring For Information Disclosure
The organization monitors [Assignment: organization-defined open source information and/or information sites] [Assignment: organization-defined frequency] for evidence of unauthorized disclosure of organizational information.
AU-14: Session Audit
The information system provides the capability for authorized users to select a user session to capture/record or view/hear.
AU-16: Cross-Organizational Auditing
The organization employs [Assignment: organization-defined methods] for coordinating [Assignment: organization-defined audit information] among external organizations when audit information is transmitted across organizational boundaries.
Critical Security Controls Version 7.1
6: Maintenance, Monitoring and Analysis of Audit Logs
Collect, manage, and analyze audit logs of events that could help detect, understand, or recover from an attack.