Level 2


Description:

The intent of this requirement is to periodically re-evaluate which logged events will continue to be included in the list of events to be logged. The event types that are logged by organizations may change over time. Reviewing and updating the set of logged event types periodically is necessary to ensure that the current set remains necessary and sufficient. 


Priority: High 


Domain: AUDIT AND ACCOUNTABILITY (AU) 


Services Associated with AWS: 

  • AWS CloudTrail, AWS Identity and Access Management (IAM), AWS Security Hub


Services Associated with Azure:

  • Azure Log Analytics
  • Azure Sentinel
  • Azure Security Center
  • Azure Monitor


Objective Evidence: 

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
  • Technical: screen shot of configuration settings
  • Technical: screen shot of logs from SIEM


Possible Technology Considerations:

  • Centralized Log Management
  • Security Information & Event Management (SIEM)


What needs to be answered:

Does the company review and update audited events annually or in the event of substantial system changes or as needed? Is the list of audited events reviewed by company management and updated on a regular
basis?
  


Checks for AWS

  • Periodically Review and Update Logged Events
    Description: This check ensures that organizations periodically review and update the set of event types that are logged. The purpose is to re-evaluate the logged events and determine if any changes are needed based on evolving security requirements, technological advancements, and organizational needs. The review ensures that the set of logged event types remains necessary and sufficient to effectively monitor, analyze, investigate, and report on system activity.
  • Assess the Relevance and Effectiveness of Logged Events
    Description: This check verifies that organizations assess the relevance and effectiveness of the logged events on a regular basis. The assessment considers factors such as changing security threats, emerging attack vectors, regulatory requirements, and organizational priorities. Based on the assessment, organizations update the set of logged event types to ensure that it aligns with the current security landscape and provides adequate coverage for monitoring and incident response purposes.
  • Document and Maintain Event Logging Updates
    Description: This check ensures that organizations document and maintain records of updates made to the set of logged event types. The documentation includes the rationale for the updates, the date of the update, and the individuals or teams responsible for the decision. By maintaining a record of event logging updates, organizations can demonstrate their commitment to continuously improving their logging practices and adapting to changing security requirements.


Checks for Azure

  • Periodically Review and Update Logged Events in Azure:
    Description: This check ensures that organizations in Azure periodically review and update the set of event types that are logged. The purpose is to re-evaluate the logged events and determine if any changes are needed based on evolving security requirements, technological advancements, and organizational needs. The review ensures that the set of logged event types remains necessary and sufficient to effectively monitor, analyze, investigate, and report on system activity. By regularly reviewing and updating the logged events, organizations can align their logging practices with the changing security landscape and ensure they capture relevant information for incident response and compliance purposes.
  • Assess the Relevance and Effectiveness of Logged Events in Azure:
    Description: This check verifies that organizations in Azure assess the relevance and effectiveness of the logged events on a regular basis. The assessment takes into account factors such as evolving security threats, emerging attack vectors, regulatory requirements, and organizational priorities. Based on the assessment, organizations update the set of logged event types to ensure it remains aligned with the current security landscape and provides adequate coverage for monitoring and incident response. By assessing and updating the logged events, organizations can improve their logging practices and enhance their ability to detect and respond to security incidents effectively.
  • Document and Maintain Event Logging Updates in Azure:
    Description: This check ensures that organizations in Azure document and maintain records of updates made to the set of logged event types. The documentation includes the rationale for the updates, the date of the update, and the individuals or teams responsible for the decision. By maintaining a record of event logging updates, organizations can demonstrate their commitment to continuous improvement and compliance with security requirements. Additionally, it provides a reference for future audits and helps in tracking the evolution of logging practices over time.


More Details: Regular review and update of audited events performed by company COO and IT staff.