AzPolicyAdvertizer

last sync: 2025-Jul-18 17:23:11 UTC

Resource logs in Key Vault should be enabled

Azure BuiltIn Policy definition

Source Azure Portal
Display name Resource logs in Key Vault should be enabled
Id cf820ca0-f99e-4f3e-84fb-66e913812d21
Version 5.0.0
Details on versioning
Versioning Versions supported for Versioning: 1
5.0.0
Built-in Versioning [Preview]
Category Key Vault
Microsoft Learn
Description Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised
Cloud environments AzureCloud = true
AzureUSGovernment = true
AzureChinaCloud = unknown
Available in AzUSGov The Policy is available in AzureUSGovernment cloud. Version: '5.*.*'
Assessment(s) Assessments count: 1
Assessment Id: 88bbc99c-e5af-ddd7-6105-6150b2bfa519
DisplayName: Diagnostic logs in Key Vault should be enabled
Description: Enable logs and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.
Remediation description: To enable Key Vault diagnostics:
1. Go to Key Vault and click on your subscription.
2. Click Diagnostic settings and then click Turn on diagnostics.
3. Select one of the options to store the diagnostics logs and follow the instructions.
Note : We recommend setting a retention for the logs. If you select the storage account option , make sure to set the retention to 1 year.
Categories: IdentityAndAccess
Severity: Low
User impact: Low
Implementation effort: Low
Threats: DataExfiltration, ThreatResistance
Mode Indexed
Type BuiltIn
Preview False
Deprecated False
Effect Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled
RBAC role(s) none
Rule aliases THEN-ExistenceCondition (5)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.Insights/diagnosticSettings/logs.enabled microsoft.insights diagnosticSettings properties.logs[*].enabled True False
Microsoft.Insights/diagnosticSettings/logs[*] microsoft.insights diagnosticSettings properties.logs[*] True False
Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days microsoft.insights diagnosticSettings properties.logs[*].retentionPolicy.days True False
Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled microsoft.insights diagnosticSettings properties.logs[*].retentionPolicy.enabled True False
Microsoft.Insights/diagnosticSettings/storageAccountId microsoft.insights diagnosticSettings properties.storageAccountId True False
Rule resource types IF (1)
Compliance
The following 97 compliance controls are associated with this Policy definition 'Resource logs in Key Vault should be enabled' (cf820ca0-f99e-4f3e-84fb-66e913812d21)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
Azure_Security_Benchmark_v1.0 2.3 Azure_Security_Benchmark_v1.0_2.3 Azure Security Benchmark 2.3 Logging and Monitoring Enable audit logging for Azure resources Customer Enable Diagnostic Settings on Azure resources for access to audit, security, and diagnostic logs. Activity logs, which are automatically available, include event source, date, user, timestamp, source addresses, destination addresses, and other useful elements. How to collect platform logs and metrics with Azure Monitor: https://docs.microsoft.com/azure/azure-monitor/platform/diagnostic-settings Understand logging and different log types in Azure: https://docs.microsoft.com/azure/azure-monitor/platform/platform-logs-overview n/a link 15
Azure_Security_Benchmark_v2.0 LT-4 Azure_Security_Benchmark_v2.0_LT-4 Azure Security Benchmark LT-4 Logging and Threat Detection Enable logging for Azure resources Shared Enable logging for Azure resources to meet the requirements for compliance, threat detection, hunting, and incident investigation. You can use Azure Security Center and Azure Policy to enable resource logs and log data collecting on Azure resources for access to audit, security, and resource logs. Activity logs, which are automatically available, include event source, date, user, timestamp, source addresses, destination addresses, and other useful elements. Understand logging and different log types in Azure: https://docs.microsoft.com/azure/azure-monitor/platform/platform-logs-overview Understand Azure Security Center data collection: https://docs.microsoft.com/azure/security-center/security-center-enable-data-collection Enable and configure antimalware monitoring: https://docs.microsoft.com/azure/security/fundamentals/antimalware#enable-and-configure-antimalware-monitoring-using-powershell-cmdlets n/a link 13
Azure_Security_Benchmark_v3.0 DP-8 Azure_Security_Benchmark_v3.0_DP-8 Microsoft cloud security benchmark DP-8 Data Protection Ensure security of key and certificate repository Shared **Security Principle:** Ensure the security of the key vault service used for the cryptographic key and certificate lifecycle management. Harden your key vault service through access control, network security, logging and monitoring and backup to ensure keys and certificates are always protected using the maximum security. **Azure Guidance:** Secure your cryptographic keys and certificates by hardening your Azure Key Vault service through the following controls: - Restrict the access to keys and certificates in Azure Key Vault using built-in access policies or Azure RBAC to ensure the least privileges principle are in place for management plane access and data plane access. - Secure the Azure Key Vault using Private Link and Azure Firewall to ensure the minimal exposure of the service - Ensure separation of duties is place for users who manages encryption keys not have the ability to access encrypted data, and vice versa. - Use managed identity to access keys stored in the Azure Key Vault in your workload applications. - Never have the keys stored in plaintext format outside of the Azure Key Vault. - When purging data, ensure your keys are not deleted before the actual data, backups and archives are purged. - Backup your keys and certificates using the Azure Key Vault. Enable soft delete and purge protection to avoid accidental deletion of keys. - Turn on Azure Key Vault logging to ensure the critical management plane and data plane activities are logged. **Implementation and additional context:** Azure Key Vault overview: https://docs.microsoft.com/azure/key-vault/general/overview Azure Key Vault security best practices: https://docs.microsoft.com/azure/key-vault/general/best-practices Use managed identity to access Azure Key Vault: https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-nonaad n/a link 6
Azure_Security_Benchmark_v3.0 LT-3 Azure_Security_Benchmark_v3.0_LT-3 Microsoft cloud security benchmark LT-3 Logging and Threat Detection Enable logging for security investigation Shared **Security Principle:** Enable logging for your cloud resources to meet the requirements for security incident investigations and security response and compliance purposes. **Azure Guidance:** Enable logging capability for resources at the different tiers, such as logs for Azure resources, operating systems and applications inside in your VMs and other log types. Be mindful about different type of logs for security, audit, and other operation logs at the management/control plane and data plane tiers. There are three types of the logs available at the Azure platform: - Azure resource log: Logging of operations that are performed within an Azure resource (the data plane). For example, getting a secret from a key vault or making a request to a database. The content of resource logs varies by the Azure service and resource type. - Azure activity log: Logging of operations on each Azure resource at the subscription layer, from the outside (the management plane). You can use the Activity Log to determine the what, who, and when for any write operations (PUT, POST, DELETE) taken on the resources in your subscription. There is a single Activity log for each Azure subscription. - Microsoft Entra logs: Logs of the history of sign-in activity and audit trail of changes made in the Microsoft Entra ID for a particular tenant. You can also use Microsoft Defender for Cloud and Azure Policy to enable resource logs and log data collecting on Azure resources. **Implementation and additional context:** Understand logging and different log types in Azure: https://docs.microsoft.com/azure/azure-monitor/platform/platform-logs-overview Understand Microsoft Defender for Cloud data collection: https://docs.microsoft.com/azure/security-center/security-center-enable-data-collection Enable and configure antimalware monitoring: https://docs.microsoft.com/azure/security/fundamentals/antimalware#enable-and-configure-antimalware-monitoring-using-powershell-cmdlets Operating systems and application logs inside in your compute resources: https://docs.microsoft.com/azure/azure-monitor/agents/data-sources#operating-system-guest n/a link 16
Canada_Federal_PBMM_3-1-2020 CA_7 Canada_Federal_PBMM_3-1-2020_CA_7 Canada Federal PBMM 3-1-2020 CA 7 Continuous Monitoring Continuous Monitoring Shared 1. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes establishment of organization-defined metrics to be monitored. 2. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes establishment of at least monthly monitoring and assessments of at least operating system scans, database, and web application scan. 3. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes ongoing security control assessments in accordance with the organizational continuous monitoring strategy. 4. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy. 5. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes correlation and analysis of security-related information generated by assessments and monitoring. 6. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes response actions to address results of the analysis of security-related information. 7. The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes reporting the security status of organization and the information system to organization-defined personnel or roles at organization-defined frequency. To ensure the ongoing effectiveness of security controls and maintain the security posture in alignment with organizational objectives and requirements. 120
Canada_Federal_PBMM_3-1-2020 SI_4 Canada_Federal_PBMM_3-1-2020_SI_4 Canada Federal PBMM 3-1-2020 SI 4 Information System Monitoring Information System Monitoring Shared 1. The organization monitors the information system to detect: a. Attacks and indicators of potential attacks in accordance with organization-defined monitoring objectives; and b. Unauthorized local, network, and remote connections; 2. The organization identifies unauthorized use of the information system through organization-defined techniques and methods. 3. The organization deploys monitoring devices: (i) strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization. 4. The organization protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion. 5. The organization heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or Canada based on law enforcement information, intelligence information, or other credible sources of information. 6. The organization obtains legal opinion with regard to information system monitoring activities in accordance with organizational policies, directives and standards. 7. The organization provides organization-defined information system monitoring information to organization-defined personnel or roles at an organization-defined frequency. To enhance overall security posture. 93
Canada_Federal_PBMM_3-1-2020 SI_4(1) Canada_Federal_PBMM_3-1-2020_SI_4(1) Canada Federal PBMM 3-1-2020 SI 4(1) Information System Monitoring Information System Monitoring | System-Wide Intrusion Detection System Shared The organization connects and configures individual intrusion detection tools into an information system-wide intrusion detection system. To enhance overall security posture. 93
Canada_Federal_PBMM_3-1-2020 SI_4(2) Canada_Federal_PBMM_3-1-2020_SI_4(2) Canada Federal PBMM 3-1-2020 SI 4(2) Information System Monitoring Information System Monitoring | Automated Tools for Real-Time Analysis Shared The organization employs automated tools to support near real-time analysis of events. To enhance overall security posture. 92
CIS_Azure_1.1.0 5.1.7 CIS_Azure_1.1.0_5.1.7 CIS Microsoft Azure Foundations Benchmark recommendation 5.1.7 5 Logging and Monitoring Ensure that logging for Azure KeyVault is 'Enabled' Shared The customer is responsible for implementing this recommendation. Enable AuditEvent logging for key vault instances to ensure interactions with key vaults are logged and available. link 6
CIS_Azure_1.3.0 5.1.5 CIS_Azure_1.3.0_5.1.5 CIS Microsoft Azure Foundations Benchmark recommendation 5.1.5 5 Logging and Monitoring Ensure that logging for Azure KeyVault is 'Enabled' Shared The customer is responsible for implementing this recommendation. Enable AuditEvent logging for key vault instances to ensure interactions with key vaults are logged and available. link 5
CIS_Azure_1.3.0 5.3 CIS_Azure_1.3.0_5.3 CIS Microsoft Azure Foundations Benchmark recommendation 5.3 5 Logging and Monitoring Ensure that Diagnostic Logs are enabled for all services which support it. Shared The customer is responsible for implementing this recommendation. Diagnostic Logs capture activity to the data access plane while the Activity log is a subscription-level log for the control plane. Resource-level diagnostic logs provide insight into operations that were performed within that resource itself, for example, getting a secret from a Key Vault. Currently, 32 Azure resources support Diagnostic Logging (See the references section for a complete list), including Network Security Groups, Load Balancers, Key Vault, AD, Logic Apps and CosmosDB. The content of these logs varies by resource type. For example, Windows event system logs are a category of diagnostics logs for VMs, and blob, table, and queue logs are categories of diagnostics logs for storage accounts. A number of back-end services were not configured to log and store Diagnostic Logs for certain activities or for a sufficient length. It is crucial that logging systems are correctly configured to log all relevant activities and retain those logs for a sufficient length of time. By default, Diagnostic Logs are not enabled. Given that the mean time to detection in an enterprise is 240 days, a minimum retention period of two years is recommended. Note: The CIS Benchmark covers some specific Diagnostic Logs separately. ''' 3.3 - Ensure Storage logging is enabled for Queue service for read, write, and delete requests 6.4 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' ''' link 20
CIS_Azure_1.4.0 5.1.5 CIS_Azure_1.4.0_5.1.5 CIS Microsoft Azure Foundations Benchmark recommendation 5.1.5 5 Logging and Monitoring Ensure that logging for Azure KeyVault is 'Enabled' Shared The customer is responsible for implementing this recommendation. Enable AuditEvent logging for key vault instances to ensure interactions with key vaults are logged and available. link 5
CIS_Azure_1.4.0 5.3 CIS_Azure_1.4.0_5.3 CIS Microsoft Azure Foundations Benchmark recommendation 5.3 5 Logging and Monitoring Ensure that Diagnostic Logs Are Enabled for All Services that Support it. Shared The customer is responsible for implementing this recommendation. Diagnostic Logs capture activity to the data access plane while the Activity log is a subscription-level log for the control plane. Resource-level diagnostic logs provide insight into operations that were performed within that resource itself, for example, getting a secret from a Key Vault. Currently, 32 Azure resources support Diagnostic Logging (See the references section for a complete list), including Network Security Groups, Load Balancers, Key Vault, AD, Logic Apps and CosmosDB. The content of these logs varies by resource type. For example, Windows event system logs are a category of diagnostics logs for VMs, and blob, table, and queue logs are categories of diagnostics logs for storage accounts. A number of back-end services were not configured to log and store Diagnostic Logs for certain activities or for a sufficient length. It is crucial that logging systems are correctly configured to log all relevant activities and retain those logs for a sufficient length of time. By default, Diagnostic Logs are not enabled. Given that the mean time to detection in an enterprise is 240 days, a minimum retention period of two years is recommended. Note: The CIS Benchmark covers some specific Diagnostic Logs separately. ''' 3.3 - Ensure Storage logging is enabled for Queue service for read, write, and delete requests 6.4 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' ''' link 20
CIS_Azure_2.0.0 5.1.5 CIS_Azure_2.0.0_5.1.5 CIS Microsoft Azure Foundations Benchmark recommendation 5.1.5 5.1 Ensure that logging for Azure Key Vault is 'Enabled' Shared n/a Enable AuditEvent logging for key vault instances to ensure interactions with key vaults are logged and available. Monitoring how and when key vaults are accessed, and by whom, enables an audit trail of interactions with confidential information, keys, and certificates managed by Azure Keyvault. Enabling logging for Key Vault saves information in an Azure storage account which the user provides. This creates a new container named insights-logs-auditevent automatically for the specified storage account. This same storage account can be used for collecting logs for multiple key vaults. link 5
CIS_Azure_2.0.0 5.4 CIS_Azure_2.0.0_5.4 CIS Microsoft Azure Foundations Benchmark recommendation 5.4 5 Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it Shared Costs for monitoring varies with Log Volume. Not every resource needs to have logging enabled. It is important to determine the security classification of the data being processed by the given resource and adjust the logging based on which events need to be tracked. This is typically determined by governance and compliance requirements. Resource Logs capture activity to the data access plane while the Activity log is a subscription-level log for the control plane. Resource-level diagnostic logs provide insight into operations that were performed within that resource itself; for example, reading or updating a secret from a Key Vault. Currently, 95 Azure resources support Azure Monitoring (See the more information section for a complete list), including Network Security Groups, Load Balancers, Key Vault, AD, Logic Apps, and CosmosDB. The content of these logs varies by resource type. A number of back-end services were not configured to log and store Resource Logs for certain activities or for a sufficient length. It is crucial that monitoring is correctly configured to log all relevant activities and retain those logs for a sufficient length of time. Given that the mean time to detection in an enterprise is 240 days, a minimum retention period of two years is recommended. A lack of monitoring reduces the visibility into the data plane, and therefore an organization's ability to detect reconnaissance, authorization attempts or other malicious activity. Unlike Activity Logs, Resource Logs are not enabled by default. Specifically, without monitoring it would be impossible to tell which entities had accessed a data store that was breached. In addition, alerts for failed attempts to access APIs for Web Services or Databases are only possible when logging is enabled. link 20
CIS_Azure_Foundations_v3.0.0 6.1.4 CIS_Azure_Foundations_v3.0.0_6.1.4 CIS Azure Foundations v3.0.0 6.1.4 6.1 Ensure that Logging for Azure Key Vault is 'Enabled' Shared n/a Verify that logging for Azure Key Vault is set to 'Enabled'. This control is essential for ensuring that all access and operations on the key vault are recorded, providing an audit trail for monitoring and compliance purposes. 1
CIS_Controls_v8.1 13.11 CIS_Controls_v8.1_13.11 CIS Controls v8.1 13.11 Network Monitoring and Defense Tune security event alerting thresholds Shared Tune security event alerting thresholds monthly, or more frequently. To regularly adjust and optimize security event alerting thresholds, aiming to enhance effectiveness. 48
CIS_Controls_v8.1 3.14 CIS_Controls_v8.1_3.14 CIS Controls v8.1 3.14 Data Protection Log sensitive data access Shared Log sensitive data access, including modification and disposal. To enhance accountability, traceability, and security measures within the enterprise. 45
CIS_Controls_v8.1 8.1 CIS_Controls_v8.1_8.1 CIS Controls v8.1 8.1 Audit Log Management Establish and maintain an audit log management process Shared 1. Establish and maintain an audit log management process that defines the enterprise’s logging requirements. 2. At a minimum, address the collection, review, and retention of audit logs for enterprise assets. 3. Review and update documentation annually, or when significant enterprise changes occur that could impact this safeguard. To ensure appropriate management of audit log systems. 29
CIS_Controls_v8.1 8.2 CIS_Controls_v8.1_8.2 CIS Controls v8.1 8.2 Audit Log Management Collect audit logs. Shared 1. Collect audit logs. 2. Ensure that logging, per the enterprise’s audit log management process, has been enabled across enterprise assets. To assist in troubleshooting of system issues and ensure integrity of data systems. 30
CIS_Controls_v8.1 8.3 CIS_Controls_v8.1_8.3 CIS Controls v8.1 8.3 Audit Log Management Ensure adequate audit log storage Shared Ensure that logging destinations maintain adequate storage to comply with the enterprise’s audit log management process. To ensure all important and required logs can be stored for retrieval as and when required. 21
CIS_Controls_v8.1 8.5 CIS_Controls_v8.1_8.5 CIS Controls v8.1 8.5 Audit Log Management Collect detailed audit logs. Shared 1. Configure detailed audit logging for enterprise assets containing sensitive data. 2. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation. To ensure that audit logs contain all pertinent information that might be required in a forensic investigation. 32
CIS_Controls_v8.1 8.7 CIS_Controls_v8.1_8.7 CIS Controls v8.1 8.7 Audit Log Management Collect URL request audit logs Shared Collect URL request audit logs on enterprise assets, where appropriate and supported. To maintain an audit trail of all URL requests made. 29
CIS_Controls_v8.1 8.8 CIS_Controls_v8.1_8.8 CIS Controls v8.1 8.8 Audit Log Management Collect command-line audit logs Shared Collect command-line audit logs. Example implementations include collecting audit logs from PowerShell, BASH, and remote administrative terminals. To ensure recording of the commands and arguments used by a process. 29
CIS_Controls_v8.1 8.9 CIS_Controls_v8.1_8.9 CIS Controls v8.1 8.9 Audit Log Management Centralize audit logs Shared Centralize, to the extent possible, audit log collection and retention across enterprise assets. To optimize and simply the process of audit log management. 29
CMMC_2.0_L2 AU.L2-3.3.1 CMMC_2.0_L2_AU.L2-3.3.1 404 not found n/a n/a 32
CMMC_2.0_L2 AU.L2-3.3.2 CMMC_2.0_L2_AU.L2-3.3.2 404 not found n/a n/a 32
CMMC_L2_v1.9.0 AU.L2_3.3.1 CMMC_L2_v1.9.0_AU.L2_3.3.1 Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AU.L2 3.3.1 Audit and Accountability System Auditing Shared Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. To enhance security and accountability measures. 40
CMMC_L2_v1.9.0 AU.L2_3.3.3 CMMC_L2_v1.9.0_AU.L2_3.3.3 Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 AU.L2 3.3.3 Audit and Accountability Event Review Shared Review and update logged events. To enhance the effectiveness of security measures. 33
CSA_v4.0.12 LOG_07 CSA_v4.0.12_LOG_07 CSA Cloud Controls Matrix v4.0.12 LOG 07 Logging and Monitoring Logging Scope Shared n/a Establish, document and implement which information meta/data system events should be logged. Review and update the scope at least annually or whenever there is a change in the threat environment. 33
CSA_v4.0.12 LOG_08 CSA_v4.0.12_LOG_08 CSA Cloud Controls Matrix v4.0.12 LOG 08 Logging and Monitoring Log Records Shared n/a Generate audit records containing relevant security information. 23
CSA_v4.0.12 LOG_10 CSA_v4.0.12_LOG_10 CSA Cloud Controls Matrix v4.0.12 LOG 10 Logging and Monitoring Encryption Monitoring and Reporting Shared n/a Establish and maintain a monitoring and internal reporting capability over the operations of cryptographic, encryption and key management policies, processes, procedures, and controls. 23
CSA_v4.0.12 LOG_11 CSA_v4.0.12_LOG_11 CSA Cloud Controls Matrix v4.0.12 LOG 11 Logging and Monitoring Transaction/Activity Logging Shared n/a Log and monitor key lifecycle management events to enable auditing and reporting on usage of cryptographic keys. 23
EU_GDPR_2016_679_Art. 24 EU_GDPR_2016_679_Art._24 EU General Data Protection Regulation (GDPR) 2016/679 Art. 24 Chapter 4 - Controller and processor Responsibility of the controller Shared n/a n/a 306
EU_GDPR_2016_679_Art. 25 EU_GDPR_2016_679_Art._25 EU General Data Protection Regulation (GDPR) 2016/679 Art. 25 Chapter 4 - Controller and processor Data protection by design and by default Shared n/a n/a 306
EU_GDPR_2016_679_Art. 28 EU_GDPR_2016_679_Art._28 EU General Data Protection Regulation (GDPR) 2016/679 Art. 28 Chapter 4 - Controller and processor Processor Shared n/a n/a 306
EU_GDPR_2016_679_Art. 32 EU_GDPR_2016_679_Art._32 EU General Data Protection Regulation (GDPR) 2016/679 Art. 32 Chapter 4 - Controller and processor Security of processing Shared n/a n/a 306
FBI_Criminal_Justice_Information_Services_v5.9.5_5 .4 FBI_Criminal_Justice_Information_Services_v5.9.5_5.4 404 not found n/a n/a 40
FedRAMP_High_R4 AU-12 FedRAMP_High_R4_AU-12 FedRAMP High AU-12 Audit And Accountability Audit Generation Shared n/a The information system: a. Provides audit record generation capability for the auditable events defined in AU-2 a. at [Assignment: organization-defined information system components]; b. Allows [Assignment: organization-defined personnel or roles] to select which auditable events are to be audited by specific components of the information system; and c. Generates audit records for the events defined in AU-2 d. with the content defined in AU-3. Supplemental Guidance: Audit records can be generated from many different information system components. The list of audited events is the set of events for which audits are to be generated. These events are typically a subset of all events for which the information system is capable of generating audit records. Related controls: AC-3, AU-2, AU-3, AU-6, AU-7. References: None. link 34
FedRAMP_High_R4 AU-12(1) FedRAMP_High_R4_AU-12(1) FedRAMP High AU-12 (1) Audit And Accountability System-Wide / Time-Correlated Audit Trail Shared n/a The information system compiles audit records from [Assignment: organization-defined information system components] into a system-wide (logical or physical) audit trail that is time- correlated to within [Assignment: organization-defined level of tolerance for relationship between time stamps of individual records in the audit trail]. Supplemental Guidance: Audit trails are time-correlated if the time stamps in the individual audit records can be reliably related to the time stamps in other audit records to achieve a time ordering of the records within organizational tolerances. Related controls: AU-8, AU-12. link 31
FedRAMP_High_R4 AU-6(4) FedRAMP_High_R4_AU-6(4) FedRAMP High AU-6 (4) Audit And Accountability Central Review And Analysis Shared n/a The information system provides the capability to centrally review and analyze audit records from multiple components within the system. Supplemental Guidance: Automated mechanisms for centralized reviews and analyses include, for example, Security Information Management products. Related controls: AU-2, AU-12. link 30
FedRAMP_High_R4 AU-6(5) FedRAMP_High_R4_AU-6(5) FedRAMP High AU-6 (5) Audit And Accountability Integration / Scanning And Monitoring Capabilities Shared n/a The organization integrates analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; information system monitoring information; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity. Supplemental Guidance: This control enhancement does not require vulnerability scanning, the generation of performance data, or information system monitoring. Rather, the enhancement requires that the analysis of information being otherwise produced in these areas is integrated with the analysis of audit information. Security Event and Information Management System tools can facilitate audit record aggregation/consolidation from multiple information system components as well as audit record correlation and analysis. The use of standardized audit record analysis scripts developed by organizations (with localized script adjustments, as necessary) provides more cost-effective approaches for analyzing audit record information collected. The correlation of audit record information with vulnerability scanning information is important in determining the veracity of vulnerability scans and correlating attack detection events with scanning results. Correlation with performance data can help uncover denial of service attacks or cyber attacks resulting in unauthorized use of resources. Correlation with system monitoring information can assist in uncovering attacks and in better relating audit information to operational situations. Related controls: AU-12, IR-4, RA-5. link 31
FedRAMP_Moderate_R4 AU-12 FedRAMP_Moderate_R4_AU-12 FedRAMP Moderate AU-12 Audit And Accountability Audit Generation Shared n/a The information system: a. Provides audit record generation capability for the auditable events defined in AU-2 a. at [Assignment: organization-defined information system components]; b. Allows [Assignment: organization-defined personnel or roles] to select which auditable events are to be audited by specific components of the information system; and c. Generates audit records for the events defined in AU-2 d. with the content defined in AU-3. Supplemental Guidance: Audit records can be generated from many different information system components. The list of audited events is the set of events for which audits are to be generated. These events are typically a subset of all events for which the information system is capable of generating audit records. Related controls: AC-3, AU-2, AU-3, AU-6, AU-7. References: None. link 34
hipaa 1211.09aa3System.4-09.aa hipaa-1211.09aa3System.4-09.aa 1211.09aa3System.4-09.aa 12 Audit Logging & Monitoring 1211.09aa3System.4-09.aa 09.10 Monitoring Shared n/a The organization verifies every 90 days for each extract of covered information recorded that the data is erased or its use is still required. 9
HITRUST_CSF_v11.3 09.aa HITRUST_CSF_v11.3_09.aa HITRUST CSF v11.3 09.aa Monitoring Ensure information security events are monitored and recorded to detect unauthorized information processing activities in compliance with all relevant legal requirements. Shared 1. Retention policies for audit logs are to be specified and the audit logs are to be retained accordingly. 2. A secure audit record is to be created each time a user accesses, creates, updates, or deletes covered and/or confidential information via the system. 3. Audit logs are to be maintained for account management activities, security policy changes, configuration changes, modification to sensitive information, read access to sensitive information, and printing of sensitive information. Audit logs recording user activities, exceptions, and information security events shall be produced and kept for an agreed period to assist in future investigations and access control monitoring. 37
HITRUST_CSF_v11.3 09.ab HITRUST_CSF_v11.3_09.ab HITRUST CSF v11.3 09.ab Monitoring Establish procedures for monitoring use of information processing systems and facilities to check for use and effectiveness of implemented controls. Shared 1. It is to be specified how often audit logs are reviewed, how the reviews are documented, and the specific roles and responsibilities of the personnel conducting the reviews, including the professional certifications or other qualifications required. 2. All relevant legal requirements applicable to its monitoring of authorized access and unauthorized access attempts is to be complied with. Procedures for monitoring use of information processing systems and facilities shall be established to check for use and effectiveness of implemented controls. The results of the monitoring activities shall be reviewed regularly. 109
ISO_IEC_27001_2022 9.1 ISO_IEC_27001_2022_9.1 ISO IEC 27001 2022 9.1 Performance Evaluation Monitoring, measurement, analysis and evaluation Shared 1. The organization shall determine: a. what needs to be monitored and measured, including information security processes and controls; b. the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results. The methods selected should produce comparable and reproducible results to be considered valid; c. when the monitoring and measuring shall be performed; d. who shall monitor and measure; e. when the results from monitoring and measurement shall be analysed and evaluated; f. who shall analyse and evaluate these results. 2. Documented information shall be available as evidence of the results. Specifies that the organisation must evaluate information security performance and the effectiveness of the information security management system. 43
ISO_IEC_27002_2022 8.15 ISO_IEC_27002_2022_8.15 ISO IEC 27002 2022 8.15 Detection Control Logging Shared Logs that record activities, exceptions, faults and other relevant events should be produced, stored, protected and analysed. To record events, generate evidence, ensure the integrity of log information, prevent against unauthorized access, identify information security events that can lead to an information security incident and to support investigations. 29
ISO_IEC_27017_2015 12.4.1 ISO_IEC_27017_2015_12.4.1 ISO IEC 27017 2015 12.4.1 Operations Security Event Logging Shared For Cloud Service Customer: The cloud service customer should define its requirements for event logging and verify that the cloud service meets those requirements. For Cloud Service Provider: The cloud service provider should provide logging capabilities to the cloud service customer. To record events, generate evidence, ensure the integrity of log information, prevent against unauthorized access, identify information security events that can lead to an information security incident and to support investigations. 24
K_ISMS_P_2018 2.10.1 K_ISMS_P_2018_2.10.1 K ISMS P 2018 2.10.1 2.10 Establish Procedures for Managing the Security of System Operations Shared n/a Establish and implement operating procedures for managing the security of system operations such as designating system administrators, updating policies, changing rulesets, monitoring events, managing policy implementations or exceptions. 408
K_ISMS_P_2018 2.10.2 K_ISMS_P_2018_2.10.2 K ISMS P 2018 2.10.2 2.10 Establish Protective Measures for Administrator Privileges and Security Configurations Shared n/a Establish and implement protective measures with regard to administrator privileges and security configurations to ensure that important information and personal information are not exposed as a result of unauthorized access by service type or misconfigurations. 385
K_ISMS_P_2018 2.11.1 K_ISMS_P_2018_2.11.1 K ISMS P 2018 2.11.1 2.11 Establish Procedures for Managing Internal and External Intrusion Attempts Shared n/a Establish procedures for detecting, analyzing, sharing, and effectively responding to internal and external intrusion attempts to prevent personal information leakage. Additionally, implement a framework for collaboration with relevant external agencies and experts. 57
K_ISMS_P_2018 2.11.3 K_ISMS_P_2018_2.11.3 K ISMS P 2018 2.11.3 2.11 Collect, Monitor, and Analyze Data and Network Traffic Shared n/a Collect, monitor, and analyze data and network traffic to respond to internal or external infringement attempts in a timely manner. 31
K_ISMS_P_2018 2.11.5 K_ISMS_P_2018_2.11.5 K ISMS P 2018 2.11.5 2.11 Establish Procedures to Respond and Recover from Incidents Shared n/a Establish procedures to respond and recover from incidents in a timely manner, including legal obligations for disclosing information. Additional procedures must be established and implemented to prevent recurrence. 57
K_ISMS_P_2018 2.9.2a K_ISMS_P_2018_2.9.2a K ISMS P 2018 2.9.2a 2.9.2a Establish Procedures for Information System Failures Shared n/a Establish procedures to detect, record, analyze, report, and respond to information system failures. 39
K_ISMS_P_2018 2.9.4 K_ISMS_P_2018_2.9.4 K ISMS P 2018 2.9.4 2.9 Maintain Logs and Establish Log Management Procedures Shared n/a Maintain log records for servers, applications, security systems, and networks. Define log types, access permissions, retention periods, and storage methods to ensure secure retention and prevent forgery, alteration, theft, and loss. 45
New_Zealand_ISM 23.5.11.C.01 New_Zealand_ISM_23.5.11.C.01 New_Zealand_ISM_23.5.11.C.01 23. Public Cloud Security 23.5.11.C.01 Logging requirements n/a Agencies MUST ensure that logs associated with public cloud services are collected, protected, and that their integrity can be confirmed in accordance with the agency’s documented logging requirements. 19
NIST_CSF_v2.0 DE.AE_03 NIST_CSF_v2.0_DE.AE_03 NIST CSF v2.0 DE.AE 03 DETECT-Adverse Event Analysis Information is correlated from multiple sources. Shared n/a To identify and analyze the cybersecurity attacks and compromises. 25
NIST_SP_800-171_R2_3 .3.1 NIST_SP_800-171_R2_3.3.1 NIST SP 800-171 R2 3.3.1 Audit and Accountability Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity Shared Microsoft and the customer share responsibilities for implementing this requirement. An event is any observable occurrence in a system, which includes unlawful or unauthorized system activity. Organizations identify event types for which a logging functionality is needed as those events which are significant and relevant to the security of systems and the environments in which those systems operate to meet specific and ongoing auditing needs. Event types can include password changes, failed logons or failed accesses related to systems, administrative privilege usage, or third-party credential usage. In determining event types that require logging, organizations consider the monitoring and auditing appropriate for each of the CUI security requirements. Monitoring and auditing requirements can be balanced with other system needs. For example, organizations may determine that systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit logging capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of event types, the logging necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented or cloud-based architectures. Audit record content that may be necessary to satisfy this requirement includes time stamps, source and destination addresses, user or process identifiers, event descriptions, success or fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the system after the event occurred). Detailed information that organizations may consider in audit records includes full text recording of privileged commands or the individual identities of group account users. Organizations consider limiting the additional audit log information to only that information explicitly needed for specific audit requirements. This facilitates the use of audit trails and audit logs by not including information that could potentially be misleading or could make it more difficult to locate information of interest. Audit logs are reviewed and analyzed as often as needed to provide important information to organizations to facilitate risk-based decision making. [SP 800-92] provides guidance on security log management. link 48
NIST_SP_800-171_R2_3 .3.2 NIST_SP_800-171_R2_3.3.2 NIST SP 800-171 R2 3.3.2 Audit and Accountability Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. Shared Microsoft and the customer share responsibilities for implementing this requirement. This requirement ensures that the contents of the audit record include the information needed to link the audit event to the actions of an individual to the extent feasible. Organizations consider logging for traceability including results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, communications at system boundaries, configuration settings, physical access, nonlocal maintenance, use of maintenance tools, temperature and humidity, equipment delivery and removal, system component inventory, use of mobile code, and use of Voice over Internet Protocol (VoIP). link 34
NIST_SP_800-171_R3_3 .3.1 NIST_SP_800-171_R3_3.3.1 404 not found n/a n/a 33
NIST_SP_800-53_R4 AU-12 NIST_SP_800-53_R4_AU-12 NIST SP 800-53 Rev. 4 AU-12 Audit And Accountability Audit Generation Shared n/a The information system: a. Provides audit record generation capability for the auditable events defined in AU-2 a. at [Assignment: organization-defined information system components]; b. Allows [Assignment: organization-defined personnel or roles] to select which auditable events are to be audited by specific components of the information system; and c. Generates audit records for the events defined in AU-2 d. with the content defined in AU-3. Supplemental Guidance: Audit records can be generated from many different information system components. The list of audited events is the set of events for which audits are to be generated. These events are typically a subset of all events for which the information system is capable of generating audit records. Related controls: AC-3, AU-2, AU-3, AU-6, AU-7. References: None. link 34
NIST_SP_800-53_R4 AU-12(1) NIST_SP_800-53_R4_AU-12(1) NIST SP 800-53 Rev. 4 AU-12 (1) Audit And Accountability System-Wide / Time-Correlated Audit Trail Shared n/a The information system compiles audit records from [Assignment: organization-defined information system components] into a system-wide (logical or physical) audit trail that is time- correlated to within [Assignment: organization-defined level of tolerance for relationship between time stamps of individual records in the audit trail]. Supplemental Guidance: Audit trails are time-correlated if the time stamps in the individual audit records can be reliably related to the time stamps in other audit records to achieve a time ordering of the records within organizational tolerances. Related controls: AU-8, AU-12. link 31
NIST_SP_800-53_R4 AU-6(4) NIST_SP_800-53_R4_AU-6(4) NIST SP 800-53 Rev. 4 AU-6 (4) Audit And Accountability Central Review And Analysis Shared n/a The information system provides the capability to centrally review and analyze audit records from multiple components within the system. Supplemental Guidance: Automated mechanisms for centralized reviews and analyses include, for example, Security Information Management products. Related controls: AU-2, AU-12. link 30
NIST_SP_800-53_R4 AU-6(5) NIST_SP_800-53_R4_AU-6(5) NIST SP 800-53 Rev. 4 AU-6 (5) Audit And Accountability Integration / Scanning And Monitoring Capabilities Shared n/a The organization integrates analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; information system monitoring information; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity. Supplemental Guidance: This control enhancement does not require vulnerability scanning, the generation of performance data, or information system monitoring. Rather, the enhancement requires that the analysis of information being otherwise produced in these areas is integrated with the analysis of audit information. Security Event and Information Management System tools can facilitate audit record aggregation/consolidation from multiple information system components as well as audit record correlation and analysis. The use of standardized audit record analysis scripts developed by organizations (with localized script adjustments, as necessary) provides more cost-effective approaches for analyzing audit record information collected. The correlation of audit record information with vulnerability scanning information is important in determining the veracity of vulnerability scans and correlating attack detection events with scanning results. Correlation with performance data can help uncover denial of service attacks or cyber attacks resulting in unauthorized use of resources. Correlation with system monitoring information can assist in uncovering attacks and in better relating audit information to operational situations. Related controls: AU-12, IR-4, RA-5. link 31
NIST_SP_800-53_R5.1.1 AU.2 NIST_SP_800-53_R5.1.1_AU.2 NIST SP 800-53 R5.1.1 AU.2 Audit and Accountability Control Event Logging Shared a. Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: organization-defined event types that the system is capable of logging]; b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; c. Specify the following event types for logging within the system: [Assignment: organization-defined event types (subset of the event types defined in AU-2a.) along with the frequency of (or situation requiring) logging for each identified event type]; d. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and e. Review and update the event types selected for logging [Assignment: organization-defined frequency]. An event is an observable occurrence in a system. The types of events that require logging are those events that are significant and relevant to the security of systems and the privacy of individuals. Event logging also supports specific monitoring and auditing needs. Event types include password changes, failed logons or failed accesses related to systems, security or privacy attribute changes, administrative privilege usage, PIV credential usage, data action changes, query parameters, or external credential usage. In determining the set of event types that require logging, organizations consider the monitoring and auditing appropriate for each of the controls to be implemented. For completeness, event logging includes all protocols that are operational and supported by the system. To balance monitoring and auditing requirements with other system needs, event logging requires identifying the subset of event types that are logged at a given point in time. For example, organizations may determine that systems need the capability to log every file access successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. The types of events that organizations desire to be logged may change. Reviewing and updating the set of logged events is necessary to help ensure that the events remain relevant and continue to support the needs of the organization. Organizations consider how the types of logging events can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the logging event is based on patterns or time of usage. Event logging requirements, including the need to log specific event types, may be referenced in other controls and control enhancements. These include AC-2(4), AC-3(10), AC-6(9), AC-17(1), CM-3f, CM-5(1), IA-3(3.b), MA-4(1), MP-4(2), PE-3, PM-21, PT-7, RA-8, SC-7(9), SC-7(15), SI-3(8), SI-4(22), SI-7(8), and SI-10(1). Organizations include event types that are required by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Audit records can be generated at various levels, including at the packet level as information traverses the network. Selecting the appropriate level of event logging is an important part of a monitoring and auditing capability and can identify the root causes of problems. When defining event types, organizations consider the logging necessary to cover related event types, such as the steps in distributed, transaction-based processes and the actions that occur in service-oriented architectures. 23
NIST_SP_800-53_R5 AU-12 NIST_SP_800-53_R5_AU-12 NIST SP 800-53 Rev. 5 AU-12 Audit and Accountability Audit Record Generation Shared n/a a. Provide audit record generation capability for the event types the system is capable of auditing as defined in [AU-2a](#au-2_smt.a) on [Assignment: organization-defined system components]; b. Allow [Assignment: organization-defined personnel or roles] to select the event types that are to be logged by specific components of the system; and c. Generate audit records for the event types defined in [AU-2c](#au-2_smt.c) that include the audit record content defined in [AU-3](#au-3). link 34
NIST_SP_800-53_R5 AU-12(1) NIST_SP_800-53_R5_AU-12(1) NIST SP 800-53 Rev. 5 AU-12 (1) Audit and Accountability System-wide and Time-correlated Audit Trail Shared n/a Compile audit records from [Assignment: organization-defined system components] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail]. link 31
NIST_SP_800-53_R5 AU-6(4) NIST_SP_800-53_R5_AU-6(4) NIST SP 800-53 Rev. 5 AU-6 (4) Audit and Accountability Central Review and Analysis Shared n/a Provide and implement the capability to centrally review and analyze audit records from multiple components within the system. link 30
NIST_SP_800-53_R5 AU-6(5) NIST_SP_800-53_R5_AU-6(5) NIST SP 800-53 Rev. 5 AU-6 (5) Audit and Accountability Integrated Analysis of Audit Records Shared n/a Integrate analysis of audit records with analysis of [Selection (OneOrMore): vulnerability scanning information;performance data;system monitoring information; [Assignment: organization-defined data/information collected from other sources] ] to further enhance the ability to identify inappropriate or unusual activity. link 31
NZ_ISM_v3.5 AC-18 NZ_ISM_v3.5_AC-18 NZISM Security Benchmark AC-18 Access Control and Passwords 16.6.9 Events to be logged Customer n/a The events to be logged are key elements in the monitoring of the security posture of systems and contributing to reviews, audits, investigations and incident management. link 17
NZISM_Security_Benchmark_v1.1 AC-17 NZISM_Security_Benchmark_v1.1_AC-17 NZISM Security Benchmark AC-17 Access Control and Passwords 16.6.9 Events to be logged Customer Agencies MUST log, at minimum, the following events for all software components: logons; failed logon attempts; logoffs; date and time; all privileged operations; failed attempts to elevate privileges; security related system alerts and failures; system user and group additions, deletions and modification to permissions; and unauthorised or failed access attempts to systems and files identified as critical to the agency. The events to be logged are key elements in the monitoring of the security posture of systems and contributing to reviews, audits, investigations and incident management. link 13
NZISM_v3.7 16.6.10.C.01. NZISM_v3.7_16.6.10.C.01. NZISM v3.7 16.6.10.C.01. Event Logging and Auditing 16.6.10.C.01. - enhance system security and accountability. Shared n/a Agencies SHOULD log the events listed in the table below for specific software components. 1. Database - a. System user access to the database. b. Attempted access that is denied c. Changes to system user roles or database rights. d. Addition of new system users, especially privileged users e. Modifications to the data. f. Modifications to the format or structure of the database 2. Network/operating system a. Successful and failed attempts to logon and logoff. b. Changes to system administrator and system user accounts. c. Failed attempts to access data and system resources. d. Attempts to use special privileges. e. Use of special privileges. f. System user or group management. g. Changes to the security policy. h. Service failures and restarts. i.System startup and shutdown. j. Changes to system configuration data. k. Access to sensitive data and processes. l. Data import/export operations. 3. Web application a. System user access to the Web application. b. Attempted access that is denied. c. System user access to the Web documents. d. Search engine queries initiated by system users. 31
NZISM_v3.7 16.6.10.C.02. NZISM_v3.7_16.6.10.C.02. NZISM v3.7 16.6.10.C.02. Event Logging and Auditing 16.6.10.C.02. - enhance system security and accountability. Shared n/a Agencies SHOULD log, at minimum, the following events for all software components: 1. user login; 2. all privileged operations; 3. failed attempts to elevate privileges; 4. security related system alerts and failures; 5. system user and group additions, deletions and modification to permissions; and 6. unauthorised or failed access attempts to systems and files identified as critical to the agency. 48
NZISM_v3.7 16.6.11.C.01. NZISM_v3.7_16.6.11.C.01. NZISM v3.7 16.6.11.C.01. Event Logging and Auditing 16.6.11.C.01. - enhance system security and accountability. Shared n/a For each event identified as needing to be logged, agencies MUST ensure that the log facility records at least the following details, where applicable: 1. date and time of the event; 2. relevant system user(s) or processes; 3. event description; 4. success or failure of the event; 5. event source (e.g. application name); and 6. IT equipment location/identification. 48
NZISM_v3.7 16.6.12.C.01. NZISM_v3.7_16.6.12.C.01. NZISM v3.7 16.6.12.C.01. Event Logging and Auditing 16.6.12.C.01. - maintain integrity of the data. Shared n/a Event logs MUST be protected from: 1. modification and unauthorised access; and 2. whole or partial loss within the defined retention period. 48
NZISM_v3.7 16.6.6.C.01. NZISM_v3.7_16.6.6.C.01. NZISM v3.7 16.6.6.C.01. Event Logging and Auditing 16.6.6.C.01. - enhance security and reduce the risk of unauthorized access or misuse. Shared n/a Agencies MUST maintain system management logs for the life of a system. 48
NZISM_v3.7 16.6.7.C.01. NZISM_v3.7_16.6.7.C.01. NZISM v3.7 16.6.7.C.01. Event Logging and Auditing 16.6.7.C.01. - facilitate effective monitoring, troubleshooting, and auditability of system operations. Shared n/a A system management log SHOULD record the following minimum information: 1. all system start-up and shutdown; 2. service, application, component or system failures; 3. maintenance activities; 4. backup and archival activities; 5. system recovery activities; and 6. special or out of hours activities. 48
NZISM_v3.7 16.6.9.C.01. NZISM_v3.7_16.6.9.C.01. NZISM v3.7 16.6.9.C.01. Event Logging and Auditing 16.6.9.C.01. - enhance system security and accountability. Shared n/a Agencies MUST log, at minimum, the following events for all software components: 1. logons; 2. failed logon attempts; 3. logoffs; 4 .date and time; 5. all privileged operations; 6. failed attempts to elevate privileges; 7. security related system alerts and failures; 8. system user and group additions, deletions and modification to permissions; and 9. unauthorised or failed access attempts to systems and files identified as critical to the agency. 46
op.exp.7 Incident management op.exp.7 Incident management 404 not found n/a n/a 103
PCI_DSS_v4.0.1 10.4.2.1 PCI_DSS_v4.0.1_10.4.2.1 PCI DSS v4.0.1 10.4.2.1 Log and Monitor All Access to System Components and Cardholder Data Frequency of Log Reviews Shared n/a The frequency of periodic log reviews for all other system components (not defined in Requirement 10.4.1) is defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1 25
RBI_CSF_Banks_v2016 16.3 RBI_CSF_Banks_v2016_16.3 Maintenance, Monitoring, And Analysis Of Audit Logs Maintenance, Monitoring, And Analysis Of Audit Logs-16.3 n/a Enough care is to be taken tocapture audit logs pertaining to user actions in a system. Such arrangements should facilitate forensic auditing, if need be. 4
RBI_CSF_Banks_v2016 17.1 RBI_CSF_Banks_v2016_17.1 Audit Log Settings Audit Log Settings-17.1 n/a Implement and periodically validate settings for capturing of appropriate logs/audit trails of each device, system software and application software , ensuring that logs include minimum information to uniquely identify the log for example by including a date, timestamp, source addresses, destination addresses, and various other useful elements of each packet and/or event and/or transaction. 14
RBI_CSF_Banks_v2016 6.4 RBI_CSF_Banks_v2016_6.4 Application Security Life Cycle (Aslc) Application Security Life Cycle (Aslc)-6.4 n/a Besides business functionalities, security requirements relating to system access control, authentication, transaction authorization, data integrity, system activity logging, audit trail, session management, security event tracking and exception handling are required to be clearly specified at the initial and ongoing stages of system development/acquisition/implementation. 13
RMiT_v1.0 10.66 RMiT_v1.0_10.66 RMiT 10.66 Security of Digital Services Security of Digital Services - 10.66 Shared n/a A financial institution must implement robust technology security controls in providing digital services which assure the following: (a) confidentiality and integrity of customer and counterparty information and transactions; (b) reliability of services delivered via channels and devices with minimum disruption to services; (c) proper authentication of users or devices and authorisation of transactions; (d) sufficient audit trail and monitoring of anomalous transactions; (e) ability to identify and revert to the recovery point prior to incident or service disruption; and (f) strong physical control and logical control measures link 29
SOC_2023 A1.1 SOC_2023_A1.1 SOC 2023 A1.1 Additional Criteria for Availability Effectively manage capacity demand and facilitate the implementation of additional capacity as needed. Shared n/a The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives. 107
SOC_2023 CC.5.3 SOC_2023_CC.5.3 404 not found n/a n/a 35
SOC_2023 CC2.3 SOC_2023_CC2.3 SOC 2023 CC2.3 Information and Communication Facilitate effective internal communication. Shared n/a Entity to communicate with external parties regarding matters affecting the functioning of internal control. 214
SOC_2023 CC4.1 SOC_2023_CC4.1 SOC 2023 CC4.1 Monitoring Activities Enhance the ability to manage risks and achieve objectives. Shared n/a The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. 36
SOC_2023 CC4.2 SOC_2023_CC4.2 SOC 2023 CC4.2 Monitoring Activities Facilitate timely corrective actions and strengthen the ability to maintain effective control over its operations and achieve its objectives. Shared n/a The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors. 35
SOC_2023 CC5.3 SOC_2023_CC5.3 SOC 2023 CC5.3 Control Activities Maintain alignment with organizational objectives and regulatory requirements. Shared n/a Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures. 225
SOC_2023 CC7.2 SOC_2023_CC7.2 SOC 2023 CC7.2 Systems Operations Maintain robust security measures and ensure operational resilience. Shared n/a The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analysed to determine whether they represent security events. 163
SOC_2023 CC7.4 SOC_2023_CC7.4 SOC 2023 CC7.4 Systems Operations Effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation. Shared n/a The entity responds to identified security incidents by: a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities; b. Establishing procedures to contain security incidents; c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents; d. Restoring operations; e. Developing and Implementing Communication Protocols for Security Incidents; f. Obtains Understanding of Nature of Incident and Determines Containment Strategy; g. Remediation Identified Vulnerabilities; h. Communicating Remediation Activities; and, i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations. 209
SOC_2023 CC8.1 SOC_2023_CC8.1 SOC 2023 CC8.1 Change Management Minimise risks, ensure quality, optimise efficiency, and enhance resilience in the face of change. Shared n/a The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives by Managing Changes Throughout the System Life Cycle, authorizing changes, designing and developing changes, documenting all changes, tracking system changes, configuring software's, testing system changes, approving system changes, deploying system changes, identifying and evaluating system changes, creating baseline configurations for IT technologies and providing necessary changes in emergency situations. 143
SWIFT_CSCF_v2021 6.4 SWIFT_CSCF_v2021_6.4 SWIFT CSCF v2021 6.4 Detect Anomalous Activity to Systems or Transaction Records Logging and Monitoring n/a Record security events and detect anomalous actions and operations within the local SWIFT environment. link 29
SWIFT_CSCF_v2022 6.4 SWIFT_CSCF_v2022_6.4 SWIFT CSCF v2022 6.4 6. Detect Anomalous Activity to Systems or Transaction Records Record security events and detect anomalous actions and operations within the local SWIFT environment. Shared n/a Capabilities to detect anomalous activity are implemented, and a process or tool is in place to keep and review logs. link 47
U.15.1 - Events Logged U.15.1 - Events Logged 404 not found n/a n/a 51
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type polSet in AzUSGov
[Deprecated]: Azure Security Benchmark v1 42a694ed-f65e-42b2-aa9e-8052e9740a92 Regulatory Compliance Deprecated BuiltIn true
[Deprecated]: Azure Security Benchmark v2 bb522ac1-bc39-4957-b194-429bcd3bcb0b Regulatory Compliance Deprecated BuiltIn true
[Deprecated]: New Zealand ISM Restricted d1a462af-7e6d-4901-98ac-61570b4ed22a Regulatory Compliance Deprecated BuiltIn unknown
[Deprecated]: New Zealand ISM Restricted v3.5 93d2179e-3068-c82f-2428-d614ae836a04 Regulatory Compliance Deprecated BuiltIn unknown
[Preview]: CMMC 2.0 Level 2 4e50fd13-098b-3206-61d6-d1d78205cb45 Regulatory Compliance Preview BuiltIn true
[Preview]: Reserve Bank of India - IT Framework for Banks d0d5578d-cc08-2b22-31e3-f525374f235a Regulatory Compliance Preview BuiltIn unknown
[Preview]: SWIFT CSP-CSCF v2021 abf84fac-f817-a70c-14b5-47eec767458a Regulatory Compliance Preview BuiltIn unknown
Canada Federal PBMM 3-1-2020 f8f5293d-df94-484a-a3e7-6b422a999d91 Regulatory Compliance GA BuiltIn unknown
CIS Azure Foundations v3.0.0 470a962c-86a0-433b-803a-3c176b5ce79c Regulatory Compliance GA BuiltIn unknown
CIS Controls v8.1 046796ef-e8a7-4398-bbe9-cce970b1a3ae Regulatory Compliance GA BuiltIn unknown
CIS Microsoft Azure Foundations Benchmark v1.1.0 1a5bb27d-173f-493e-9568-eb56638dde4d Regulatory Compliance GA BuiltIn true
CIS Microsoft Azure Foundations Benchmark v1.3.0 612b5213-9160-4969-8578-1518bd2a000c Regulatory Compliance GA BuiltIn true
CIS Microsoft Azure Foundations Benchmark v1.4.0 c3f5c4d9-9a1d-4a99-85c0-7f93e384d5c5 Regulatory Compliance GA BuiltIn unknown
CIS Microsoft Azure Foundations Benchmark v2.0.0 06f19060-9e68-4070-92ca-f15cc126059e Regulatory Compliance GA BuiltIn unknown
CSA CSA Cloud Controls Matrix v4.0.12 8791506a-dec4-497a-a83f-3abfde37c400 Regulatory Compliance GA BuiltIn unknown
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 a4087154-2edb-4329-b56a-1cc986807f3c Regulatory Compliance GA BuiltIn unknown
EU General Data Protection Regulation (GDPR) 2016/679 7326812a-86a4-40c8-af7c-8945de9c4913 Regulatory Compliance GA BuiltIn unknown
FBI Criminal Justice Information Services (CJIS) v5.9.5 4fcabc2a-30b2-4ba5-9fbb-b1a4e08fb721 Regulatory Compliance GA BuiltIn unknown
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn true
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn true
HITRUST CSF v11.3 e0d47b75-5d99-442a-9d60-07f2595ab095 Regulatory Compliance GA BuiltIn unknown
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn unknown
ISO/IEC 27001 2022 5e4ff661-23bf-42fa-8e3a-309a55091cc7 Regulatory Compliance GA BuiltIn unknown
ISO/IEC 27002 2022 e3030e83-88d5-4f23-8734-6577a2c97a32 Regulatory Compliance GA BuiltIn unknown
ISO/IEC 27017 2015 f48ecfa6-581c-43f9-8141-cd4adc72cf26 Regulatory Compliance GA BuiltIn unknown
K ISMS P 2018 e0782c37-30da-4a78-9f92-50bfe7aa2553 Regulatory Compliance GA BuiltIn unknown
Microsoft cloud security benchmark 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 Security Center GA BuiltIn true
New Zealand ISM 4f5b1359-4f8e-4d7c-9733-ea47fcde891e Regulatory Compliance GA BuiltIn unknown
NIST 800-171 R3 38916c43-6876-4971-a4b1-806aa7e55ccc Regulatory Compliance GA BuiltIn unknown
NIST CSF v2.0 184a0e05-7b06-4a68-bbbe-13b8353bc613 Regulatory Compliance GA BuiltIn unknown
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn true
NIST SP 800-53 R5.1.1 60205a79-6280-4e20-a147-e2011e09dc78 Regulatory Compliance GA BuiltIn unknown
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn true
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn true
NL BIO Cloud Theme 6ce73208-883e-490f-a2ac-44aac3b3687f Regulatory Compliance GA BuiltIn unknown
NL BIO Cloud Theme V2 d8b2ffbe-c6a8-4622-965d-4ade11d1d2ee Regulatory Compliance GA BuiltIn unknown
NZISM v3.7 4476df0a-18ab-4bfe-b6ad-cccae1cf320f Regulatory Compliance GA BuiltIn unknown
PCI DSS v4.0.1 a06d5deb-24aa-4991-9d58-fa7563154e31 Regulatory Compliance GA BuiltIn unknown
RMIT Malaysia 97a6d4f1-3bed-4cf4-ac5b-0e444c0408d6 Regulatory Compliance GA BuiltIn unknown
SOC 2023 53ad89f5-8542-49e9-ba81-1cbd686e0d52 Regulatory Compliance GA BuiltIn unknown
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn unknown
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn unknown
History
Date/Time (UTC ymd) (i) Change type Change detail
2021-06-17 14:24:41 change Major (4.0.1 > 5.0.0)
2021-02-10 14:43:58 change Major (3.0.0 > 4.0.1)
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC