The intent of this requirement is to periodically re-evaluate which logged events will continue to be included in the list of events to be logged. The event types that are logged by organizations may change over time. Reviewing and updating the set of logged event types periodically is necessary to ensure that the current set remains necessary and sufficient. 

Priority: High 

Category:  Situational Awareness 

Services Associated with AWS:  

  • AWS CloudTrail, AWS Identity and Access Management (IAM), AWS Security Hub

Objective Evidence:   

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
  • Technical: screen shot of configuration settings
  • Technical: screen shot of logs from SIEM

Possible Technology Considerations : 

  • Centralized Log Management
  • Security Information & Event Management (SIEM)

What needs to be answered :  

Does the company review and update audited events annually or in the event of substantial system changes or as needed? Is the list of audited events reviewed by company management and updated on a regular

  • Periodically Review and Update Logged Events
    Description: This check ensures that organizations periodically review and update the set of event types that are logged. The purpose is to re-evaluate the logged events and determine if any changes are needed based on evolving security requirements, technological advancements, and organizational needs. The review ensures that the set of logged event types remains necessary and sufficient to effectively monitor, analyze, investigate, and report on system activity.
  • Assess the Relevance and Effectiveness of Logged Events
    Description: This check verifies that organizations assess the relevance and effectiveness of the logged events on a regular basis. The assessment considers factors such as changing security threats, emerging attack vectors, regulatory requirements, and organizational priorities. Based on the assessment, organizations update the set of logged event types to ensure that it aligns with the current security landscape and provides adequate coverage for monitoring and incident response purposes.
  • Document and Maintain Event Logging Updates
    Description: This check ensures that organizations document and maintain records of updates made to the set of logged event types. The documentation includes the rationale for the updates, the date of the update, and the individuals or teams responsible for the decision. By maintaining a record of event logging updates, organizations can demonstrate their commitment to continuously improving their logging practices and adapting to changing security requirements.

More Details:   

Regular review and update of audited events performed by company COO and IT staff.