Level 2
Description:
Audit information includes all information (e.g., audit records, audit log settings, and audit reports) needed to successfully audit system activity. Audit logging tools are those programs and devices used to conduct audit and logging activities. This requirement focuses on the technical protection of audit information and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by media protection and physical and environmental protection requirements.
Priority: High
Domain: AUDIT AND ACCOUNTABILITY (AU)
Services Associated with AWS:
- AWS Identity and Access Management (IAM), AWS CloudTrail, AWS CloudWatch
- AWS Identity and Access Management (IAM), AWS CloudTrail, AWS CloudWatch, AWS Key Management Service (KMS),
- AWS CloudTrail, AWS CloudWatch
Services Associated with Azure:
- Azure Log Analytics
- Azure Monitor
- Azure Sentinel
- Azure Storage (Blob storage)
- Azure Key Vault
Objective Evidence:
- Administrative: documented policies, standards & procedures
- Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
- Technical: screenshot of SIEM settings
Possible Technology Considerations:
- Centralized Log Management
- Security Information & Event Management (SIEM)
What needs to be answered:
Does the system protect audit information and audit tools from unauthorized access, modification, and deletion?
Checks for AWS
- Restrict Access to Audit Information and Logging Tools
Description: This check ensures that audit information and audit logging tools are protected from unauthorized access, modification, and deletion. Access to audit information is restricted to authorized individuals who require it for auditing and monitoring purposes. This includes implementing strong access controls, such as role-based access control (RBAC) and least privilege principles, to ensure that only authorized personnel can view, modify, or delete audit records. Audit logging tools, including software and devices used for auditing and logging activities, are also protected from unauthorized access and execution. - Implement Technical Safeguards for Audit Information Protection
Description: This check verifies that organizations have implemented technical safeguards to protect audit information from unauthorized access, modification, and deletion. This includes employing encryption mechanisms to secure audit records in transit and at rest, implementing strong authentication and access controls to prevent unauthorized access to audit logs and tools, and implementing tamper-evident measures to detect and prevent unauthorized modifications. Additionally, organizations ensure that audit logs are stored in secure and resilient storage systems to prevent accidental or intentional deletion or tampering. - Regularly Monitor and Review Audit Logs and Tools
Description: This check emphasizes the importance of regularly monitoring and reviewing audit logs and tools to detect any unauthorized access, modification, or deletion attempts. Organizations establish processes and procedures to conduct periodic audits of audit logs and tools, ensuring that any suspicious activities or anomalies are promptly identified and investigated. Regular review of audit logs helps to maintain the integrity and availability of audit information and ensures that any unauthorized actions are detected and mitigated in a timely manner.
Checks for Azure
- Restrict Access to Audit Information and Logging Tools in Azure:
Description: This check ensures that organizations in Azure have implemented measures to restrict access to audit information and logging tools, preventing unauthorized access, modification, and deletion. Access to audit information is limited to authorized individuals who have a legitimate need for auditing and monitoring purposes. Strong access controls, such as RBAC and least privilege principles, are implemented to ensure that only authorized personnel can access, modify, or delete audit records. Additionally, audit logging tools, including software and devices used for auditing and logging activities, are protected from unauthorized access and execution. - Implement Technical Safeguards for Audit Information Protection in Azure:
Description: This check verifies that organizations in Azure have implemented technical safeguards to protect audit information from unauthorized access, modification, and deletion. Technical measures include employing encryption mechanisms to secure audit records during transit and at rest, implementing strong authentication and access controls to prevent unauthorized access to audit logs and tools, and implementing tamper-evident measures to detect and prevent unauthorized modifications. Additionally, organizations ensure that audit logs are stored in secure and resilient storage systems to prevent accidental or intentional deletion or tampering. - Regularly Monitor and Review Audit Logs and Tools in Azure:
Description: This check emphasizes the importance of regularly monitoring and reviewing audit logs and tools in Azure to detect any unauthorized access, modification, or deletion attempts. Organizations establish processes and procedures to conduct periodic audits of audit logs and tools, ensuring that any suspicious activities or anomalies are promptly identified and investigated. Regular review of audit logs helps to maintain the integrity and availability of audit information and ensures that any unauthorized actions are detected and mitigated in a timely manner.
More Details: Monitoring systems and tools are restricted to IT support staff and cannot be used by general employees.