Professional Documents
Culture Documents
Log Monitoring & Security Standards
Log Monitoring & Security Standards
Log Monitoring & Security Standards
6 Audit Trail Logs Significant security related events NOTE: The implementation of the
concerning the system use of User IDs must logging requirements are where
be securely logged. These logs must technically possible and any new
provide sufficient data to support audits of implementation and should not
effectiveness and compliance with security have a material impact on the
standards. systems involved.
Audit trail logs must be active and NOTE: End user tools commonly
protected from unauthorized access, do not support the required levels
modification and accidental or deliberate of auditing and logging. Use of end
destruction on TMF information user tools to process, store or
resources that contain Confidential or handle confidential information is
Restricted information. strongly discouraged.
Activities that must be logged include, but NOTE: Regarding the Effective
are not limited to: date: As there is the ability to
• Successful and unsuccessful login comply prior to the effective date,
attempts existing controls should be
• Logoff's (For systems that allow for this to maintained.
be captured.) NOTE: PCI Requirement: Retain
• Granting, modification or revocation of audit trail history for at least six
systems access rights or privileges months, with a minimum of three
• Users switching IDs during an online months immediately available for
session analysis (for example, online,
• Attempts to perform unauthorized archived, or restorable from back_x0002_up)
functions on servers and mainframe
systems and as currently technically
supported. (Best practice but not required
on other systems.)
• Attempts to perform unauthorized file
access on mainframe systems. (Best
practice but not required on other
systems.)
• Modifications to system settings
(parameters) and security/audit log
parameters
In addition to the general activities
documented above, applications that
handle, process or store non-public private
information including Payment Card,
Health and Financial information must also
log the following information:
•Access to confidential data (as required by
regulatory or contractual requirement or as
otherwise required by the Information
Security Organization.)
Logs containing User ID security relevant
events shall be retained for 180 days. The
audit trail history must be promptly
available for analysis (for example, online,
archived, or restorable from back-up) for a
minimum of 90 days
Log entries from different
7 Event Log Log contents must not contain Non-Public NOTE: There is some risk of user
Contents Personally Identifiable Information (NP-PII) supplied content (log in
or Non-Public Personal Health information. information, open text fields, etc)
Log contents must not contain may include confidential
"Confidential" information as technically information, however there are
possible. effective available controls to
Event logs must include but are not limited prevent or protect against this
to the items below as technically possible: information entering the logs.
• Host name
• User account
• Date and time stamp
• Description of the activity performed
• Event ID or event type
• Reason for logging event (e.g., access
failure)
• Source and destination network
addresses (e.g., IP address)
• Referring page (in case of HTTP access)
• Type of browser used (in case of HTTP access)
• Other information or detail that helps to
recreate a sequence of events to provide
information for debugging or testing
purposes
8 General Audit The following controls apply to audit trails NOTE: Some Divisions require
Trail Controls (as technically possible and settings must prior the TMF
follow the baselines or accepted vendor Information Security Organization
recommendation if no baseline is approval of any deletion or
available.): archive of active current Audit
• Audit trail records must be backed up in Trail records outside of normal
accordance with the TMF Record business processes.
Retention Schedule, and protected based NOTE: In some cases regardless of
on a classification rating of at least the controls some private or
Restricted. business confidential data may
• Auditing functions must not record over wind up in logs. System owners
previous audit records and data owners may need to
• Auditing functions must provide a consider a higher classification for
warning when allocated audit record the data.
storage volume reaches a pre-defined
percent of maximum capacity
• Sufficient audit record storage capacity
must be provided and not exceeded
In support and compliance with data
retention requirements and to ensure
integrity and availability of the Audit trail
records:
• Only resource administrators and the
TMF Information Security and
Compliance or those specifically authorized
have the authority to archive and delete
audit trail records
• System owners, resource administrators
and the TMF Information
Security organization have the authority to
archive, retrieve and delete archived audit
trail records
12 Use of Monitoring The use of monitoring and scanning devices NOTE: It is possible that the results
and or tools must be authorized in advance by may include "Confidential"
Scanning Tools TMF IT and information and in each specific
IS Team. The results of the monitoring case should be treated
and scanning activities must be classified as accordingly.
at least Restricted. NOTE: The approved products list
Monitoring agents must be installed on is separate and addressed in other
systems classified as a Critical System or as control standards and by the
identified by the TMF IT & IS team. Each Engineering board. This standard
scanning or focuses on the use.
monitoring device must be configured so NOTE: For the purposes of this
that it authenticates to the network when standard "use" is qualified as the
connected (for those technologies that approving of specific individuals
allow for authentication). Security settings, and specific technologies (e.g, DLP
auditing, and compliance software as well approvals) and not approvals for
as hardening scripts must confirm to the each and every occurrence of the
requirements prescribed by the TMF use of a tool by an individual.
Information Security Policies. Those specific approvals may be
addressed in other controls
standards as they relate to
Incident response, and access to
individuals emails and files for
example.
14 Privileged User Privileged access IDs and their activities NOTE: It is a best practice that
IDs Must be must be logged. records should be retained online
Logged Activities to be logged, as technically for as long as financially feasible
possible, for each system include; and technically possible on the
• Activity involving User ID creations, system, up to 90 days online.
deletions, and privilege changes must be NOTE: This control standard
securely logged. applies to Operating system
• Events as identified in the system Privileged users, and for those
Baseline requirements. Database and Applications that
• Privileged activities Identified for logging contain "Confidential Data".
on a particular system.
• Compliance measurements as identified
for logging on a particular system.
Logs must be retained for audit and
investigatory purposes for a total of 180
days.
15 Privileged User Where logging requirements have been defined Note: Automation can be used to
Activity Reports for systems with "Confidential" data or Business assist with the review process.
Must be available Critical systems' privileged User activity reports,
for review such as changes to user rights must be available
for review to detect misuse of privileged
accounts. Note: Excessive suspicious actions
may be logged as part of intrusion detection;
however logging just to validate controls is
working is not required.
16 Use of Advanced The use of advanced operating system NOTE: The technical baselines
System Utilities utilities and commands that bypass system should include the specific
Must be access controls must be restricted to those functions to be logged and
Monitored individuals who require access to perform monitored. These should follow
their job functions. The granting of access the vendor recommendations,
to and the use of these functions must be industry best practices and our
logged and monitored. own internal business
Activities to be securely logged, as requirements.
technically possible, for each system
include:
• Activity involving User ID creations,
deletions, and privilege changes
• Events as identified in the system
Baseline requirements.
• Privileged activities as it relates to
advanced operating system utilities and
commands
Logs must be retained for audit and
investigatory purposes for a total of 180
days at least 90 days of which must be kept
online.
25 Backup & Logs generated by Backup and Retrieval Logs shall be analyzed regularly. If
Retrieval activities shall be captured and retained. any kind of issue is noticed then
activities the Logs shall be separately
preserved till the issue is resolved.
It has to be securely disposed off
after the issue is resolved.
26 Antivirus Logs Logs generated from the Antivirus software After 30 days it shall be analyzed
are classified under this head. and overwritten unless there is
If any kind of security incident is noticed any kind of virus attack during that
then the relevant logs shall be separately period. If any virus attack is
backed up and preserved till the issue is noticed then the logs shall be
resolved. It has to be securely disposed off backed up separately on a
after the issue is resolved. removable media onsite