Documentation of system logs for self-maintained data systems

Critical
High
Normal
Low

The development of system logs must keep pace with the development of the system and enable, for example, the necessary resolution of incidents. In connection with the data system list, we describe for which systems we are responsible for the implementation of the logging. For these systems, we document:

  • which data is saved on the log
  • how long log data is retained
Connected other frameworks and requirements:
I10: Turvallisuuteen liittyvien tapahtumien jäljitettävyys
12.4.1: Event logging
ISO 27001
12.4.2: Protection of log information
ISO 27001
CLD 12.4: Logging and monitoring
ISO 27017
CLD 12.4.5: Monitoring of Cloud Services
ISO 27017

Data system log review

Critical
High
Normal
Low

The organization must be aware of the logs that accrue from the use of different data systems, whether generating the logs is the responsibility of the organization or the system provider. Logs record user actions as well as anomalies, errors, and security incidents.

The adequacy of log should be reviewed regularly. If necessary, log should be usable to determine the root causes for system incidents.

Connected other frameworks and requirements:
I10: Turvallisuuteen liittyvien tapahtumien jäljitettävyys
12.4.1: Event logging
ISO 27001
12.4.3: Administrator and operator logs
ISO 27001
PR.PT-1: Audit/log records
NIST CSF
DE.CM-7: Monitoring for unauthorized activity
NIST CSF

Definition and monitoring of alarm policies

Critical
High
Normal
Low

Often, security tools provide a way to set alert policies when something potentially dangerous happens in an organization's environment. For example, Microsoft 365 has built-in alert policies to alert you to abuse of administrator privileges, malware, potential internal and external risks, and data security risks.

The organization must identify security-related events in data systems and the environments in which they operate. To respond to changes related to these events, alarm policies must be created.

Alarm policies need to be actively monitored and modified based on experience.

Connected other frameworks and requirements:
12.4.1: Event logging
ISO 27001
16.1.7: Collection of evidence
PR.DS-4: Availability
NIST CSF
DE.AE-5: Incident alert thresholds
NIST CSF
RS.AN-1: Notifications from detection systems
NIST CSF

Deployment and regular analysis of security system logs

Critical
High
Normal
Low

Security systems (e.g. firewall, malware protection) often have the ability to record a log of events. At regular intervals, make sure that a comprehensive log is accumulated and try to identify suspicious activity. The log is also useful in investigating disturbances or violations.

Connected other frameworks and requirements:
9.1.2: Access to networks and network services
ISO 27001
12.4.1: Event logging
ISO 27001
PR.PT-1: Audit/log records
NIST CSF
RS.AN-1: Notifications from detection systems
NIST CSF
8.15: Logging
ISO 27001

Network usage log and process for detecting inappropriate network traffic

Critical
High
Normal
Low

An appropriate log is generated from the use of the network to enable the detection of actions relevant to cyber security.

The normal state of network traffic (traffic volumes, protocols, and connections) is known. In order to detect anomalies, there is a procedure for detecting events that are different from the normal state of network traffic (for example, anomalous connections or their attempts).

Connected other frameworks and requirements:
I11: Poikkeamien havainnointikyky ja toipuminen
12.4.1: Event logging
ISO 27001
13.1.1: Network controls
ISO 27001
PR.AC-3: Remote access management
NIST CSF
PR.AC-5: Network integrity
NIST CSF

Access management for files stored in the cloud

Critical
High
Normal
Low

By monitoring the amount of information shared in cloud services, efforts can be made to identify risks that could lead to unauthorized disclosure of information. With respect to files one may e.g. monitor:

  • Which employees share the most files in the cloud services?
  • How often DLP policies have issued alerts?
  • How often the warnings issued by DLP policies are ignored?
  • How much important information is in other cloud services - beyond the reach of DLP control?
Connected other frameworks and requirements:
9.4.1: Information access restriction
ISO 27001
12.4.1: Event logging
ISO 27001
8.3: Information access restriction
ISO 27001

Automatic log data analyzation

Critical
High
Normal
Low

System logs often contain a wealth of information, much of which is irrelevant to security monitoring. In order to identify events relevant to security monitoring, consideration should be given to automatically copying appropriate message types to another log or to using appropriate utilities or audit tools to review and resolve files.

Connected other frameworks and requirements:
12.4.1: Event logging
ISO 27001
DE.CM-3: Personnel activity
NIST CSF
8.15: Logging
ISO 27001
5.2 (MIL1): Perform Monitoring
C2M2
No items found.