MON-02.7: System-Wide / Time-Correlated Audit Trail
Automated mechanisms exist to compile audit records into an organization-wide audit trail that is time-correlated.
Control Question: Does the organization use automated mechanisms to compile audit records into an organization-wide audit trail that is time-correlated?
General (21)
| Framework | Mapping Values |
|---|---|
| CIS CSC 8.1 | 8.2 |
| CIS CSC 8.1 IG1 | 8.2 |
| CIS CSC 8.1 IG2 | 8.2 |
| CIS CSC 8.1 IG3 | 8.2 |
| CSA CCM 4 | LOG-03 |
| CSA IoT SCF 2 | MON-07 |
| GovRAMP High | AU-12(01) |
| NIST 800-53 R4 | AU-12(1) |
| NIST 800-53 R4 (high) | AU-12(1) |
| NIST 800-53 R5 (source) | AU-12(1) |
| NIST 800-53B R5 (high) (source) | AU-12(1) |
| NIST 800-82 R3 HIGH OT Overlay | AU-12(1) |
| NIST 800-171 R3 (source) | 03.03.01.a |
| PCI DSS 4.0.1 (source) | 10.6 10.6.1 10.6.2 10.6.3 |
| PCI DSS 4.0.1 SAQ A-EP (source) | 10.6.1 10.6.2 10.6.3 |
| PCI DSS 4.0.1 SAQ C (source) | 10.6.1 10.6.2 10.6.3 |
| PCI DSS 4.0.1 SAQ D Merchant (source) | 10.6.1 10.6.2 10.6.3 |
| PCI DSS 4.0.1 SAQ D Service Provider (source) | 10.6.1 10.6.2 10.6.3 |
| SCF CORE Mergers, Acquisitions & Divestitures (MA&D) | MON-02.7 |
| SCF CORE ESP Level 2 Critical Infrastructure | MON-02.7 |
| SCF CORE ESP Level 3 Advanced Threats | MON-02.7 |
US (11)
| Framework | Mapping Values |
|---|---|
| US CMS MARS-E 2.0 | AU-12(1) |
| US DoD Zero Trust Execution Roadmap | 7.1 |
| US DHS CISA SSDAF | 1.b.i 1.b.ii |
| US DHS CISA TIC 3.0 | 3.UNI.AACCO |
| US EO 14028 | 4e(i)(B) 4e(i)(B) |
| US FedRAMP R4 | AU-12(1) |
| US FedRAMP R4 (high) | AU-12(1) |
| US FedRAMP R5 (source) | AU-12(1) |
| US FedRAMP R5 (high) (source) | AU-12(1) |
| US IRS 1075 | AU-12(1) |
| US - CA CCPA 2025 | 7123(c)(7) |
EMEA (1)
| Framework | Mapping Values |
|---|---|
| EMEA Saudi Arabia OTCC-1 2022 | 2-11-1-1 2-11-1-2 2-11-1-3 |
APAC (2)
| Framework | Mapping Values |
|---|---|
| APAC Australia ISM June 2024 | ISM-0988 |
| APAC New Zealand NZISM 3.6 | 16.6.11.C.02 |
Americas (2)
| Framework | Mapping Values |
|---|---|
| Americas Canada OSFI B-13 | 3.3.1 |
| Americas Canada ITSP-10-171 | 03.03.01.A |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to compile audit records into an organization-wide audit trail that is time-correlated.
Level 1 — Performed Informally
C|P-CMM1 is N/A, since a structured process is required to compile audit records into an organization-wide audit trail that is time-correlated.
Level 2 — Planned & Tracked
Continuous Monitoring (MON) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for situational awareness management. o Configure alerts for critical or sensitive data that is stored, transmitted and processed on assets. o Use a structured process to review and analyze logs.
- Situational awareness management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
- Secure baseline configurations generate logs that contain sufficient information to establish necessary details of activity and allow for forensics analysis.
- IT/cybersecurity personnel:
- A log aggregator, or similar automated tool, provides an event log report generation capability to aid in detecting and assessing anomalous activities on business-critical systems.
Level 3 — Well Defined
Continuous Monitoring (MON) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Governs asset management that ensures compliance with requirements for asset management. o Leverages a Configuration Management Database (CMDB), or similar tool, as the authoritative source of IT assets. o Centrally collects logs and is protected according to the manufacturer’s security guidelines to protect the integrity of the event logs with cryptographic mechanisms. o Monitors the organization for Indicators of Compromise (IoC) and provides 24x7x365 near real-time alerting capability. o Is configured to alert incident response personnel of detected suspicious events such that incident responders can look to terminate suspicious events.
- An IT Asset Management (ITAM) function, or similar function:
- A Security Incident Event Manager (SIEM), or similar automated tool:
- Both inbound and outbound network traffic is monitored for unauthorized activities to identify prohibited activities and assist incident handlers with identifying potentially compromised systems.
Level 4 — Quantitatively Controlled
Continuous Monitoring (MON) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
- Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
- Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
- Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
- Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
- Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving
Continuous Monitoring (MON) efforts are “world-class” capabilities that leverage predictive analysis (e.g., machine learning, AI, etc.). In addition to CMM Level 4 criteria, CMM Level 5 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions.
- Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes.
Assessment Objectives
- MON-02.7_A01 system components from which audit records are to be compiled into a system-wide (logical or physical) audit trail are defined.
- MON-02.7_A02 level of tolerance for the relationship between timestamps of individual records in the audit trail is defined.
- MON-02.7_A03 audit records from organization-defined system components are compiled into a system-wide (logical or physical) audit trail that is time-correlated to within organization-defined level of tolerance.
Technology Recommendations
Micro/Small
- Managed Security Services Provider (MSSP)
Small
- Security Incident Event Manager (SIEM)
- Managed Security Services Provider (MSSP)
Medium
- Security Incident Event Manager (SIEM)
- Managed Security Services Provider (MSSP)
Large
- Security Incident Event Manager (SIEM)
- Managed Security Services Provider (MSSP)
Enterprise
- Security Incident Event Manager (SIEM)
- Managed Security Services Provider (MSSP)