LOG-4 Security Event Logging

What is this control about?

The monitoring tool must be configured to report on security events such as unusual spikes in incoming or outgoing traffic, configuration changes, privileged escalations, traffic from malicious IP addresses, etc.

Available tools in the marketplace

The following listing is “crowdsourced” from our customer base or from external research. TrustCloud does not personally recommend any of the tools below, because we haven’t personally used them. 

Available templates

TrustCloud has a curated list of templates internally or externally sourced to help you get started. Click on the link for a downloadable version:

• N/A – no templates recommendation

Control implementation

Install a monitoring logging tool and enable the monitoring tool to look for specific pre-defined security events (it is up to you to define what type of security events is critical in your organizations to monitor):

• Enable a threshold for alert notifications (map the type of events to be notified on and the threshold to cross for notifications)
• Set up an alert notification (ensure the alert is sent to a team for quick response and review)

What evidence do auditors look for?

Most auditors, at a minimum are looking for the below suggested action:

• Provide screenshot of the monitoring tool settings showing the specific security events
• Provide screenshot of the threshold
• Provide screenshot showing the alert receivers

Evidence example

From the suggested action above, an example is provided below.

See screenshots provided for LOG-3. These follow the same patterns.