1051 NW 14th St., Suite 165
(UM mail routing R-26)
Miami, FL 33136

Receptionist: 305-243-6475
Hours: 830am - 500pm, M-F

Help Desk: 305-243-5999
Hours: 24/7

General fax: 305-243-6417
Admin. fax: 305-243-2622

Rust (1963). Electron micrograph of an oxide scale, sometimes called rust, on a single crystal of iron. Source: General Motors and Nationl Museum of American History.

Related content

Monitoring and audit logging

Objective • On-going system monitoring and logging for audit should allow timely detection of and response to unauthorized information processing activities.

Monitoring • Procedures for monitoring use of information processing facilities should be established and the results of monitoring activities regularly reviewed. This could include:

event tracking and recording as specified in the Audit logging policy;
monitoring and review of this data, as determined by the criticality of the application/system or information involved, past experience with information security incidents, and general risk assessment.

Audit logging • Audit logs that record user and system activities, exceptions, and information security events should be produced, and kept for an agreed-upon time period, to assist in future investigations and access control monitoring. This could include recording, when relevant and within the capacity of the logging system, all key events. Key event data could include:

date/time for the event, and the event type;
user-ID and/or system-ID associated;
terminal identity and/or location;
network addresses and protocols;
records of successful and unsuccessful system accesses or other resource accesses;
changes to system configurations;
use of privileges;
use of system utilities and applications;
files accessed and the kinds of access (e.g., read, modify, create, copy, delete); and
alarms raised by the access control or any other protection system (e.g., ID/IP).

Balancing audit with operational requirements • Audit controls should be implemented to allow collection of appropriate audit data on operational systems, while minimizing the risk of disruption to business processes.

Protection of log information • Logging facilities and log information should be appropriately protected against tampering and unauthorized access. This could include:

privacy protection measures for logged data that may be sensitive or confidential; and
security protections of a technical, physical and administrative nature (e.g., division of responsibilities) to ensure integrity and availability of audit logs.

Retention of log information • A formal policy should specify the minimum retention periods for log data, consistent with legal-regulatory-certificatory requirements, business needs, and available storage/processing capacities.

Administrator and operator logs • System administrator and system operator activities should be appropriately logged, as part of the general audit trail process.

Fault logging • Faults should be appropriately logged, analyzed and actions taken.

Clock synchronization • The clocks of all relevant information processing systems within an organization or security domain should be appropriately synchronized with an agreed-upon time source, as part of protecting the accuracy of log information.

SOURCES: ISO-27001/27002:2005 sects. 10.10.1 – 10.6.,15.3.1-2.