MON-08: Protection of Event Logs
Mechanisms exist to protect event logs and audit tools from unauthorized access, modification and deletion.
Control Question: Does the organization protect event logs and audit tools from unauthorized access, modification and deletion?
General (35)
US (25)
| Framework | Mapping Values |
|---|---|
| US CERT RMM 1.2 | TM:SG2.SP2 |
| US CISA CPG 2022 | 2.U |
| US CJIS Security Policy 5.9.3 (source) | 5.4.5 |
| US CMMC 2.0 Level 2 (source) | AU.L2-3.3.8 |
| US CMMC 2.0 Level 3 (source) | AU.L2-3.3.8 |
| US CMS MARS-E 2.0 | AU-9 |
| US FDA 21 CFR Part 11 | 11.10 11.10(b) 11.10(c) 11.10(e) |
| US FedRAMP R4 | AU-9 |
| US FedRAMP R4 (low) | AU-9 |
| US FedRAMP R4 (moderate) | AU-9 |
| US FedRAMP R4 (high) | AU-9 |
| US FedRAMP R4 (LI-SaaS) | AU-9 |
| US FedRAMP R5 (source) | AU-9 |
| US FedRAMP R5 (low) (source) | AU-9 |
| US FedRAMP R5 (moderate) (source) | AU-9 |
| US FedRAMP R5 (high) (source) | AU-9 |
| US FedRAMP R5 (LI-SaaS) (source) | AU-9 |
| US IRS 1075 | AU-9 |
| US NISPOM 2020 | 8-602 |
| US NNPI (unclass) | 3.1 |
| US SSA EIESR 8.0 | 5.4 |
| US - CA CCPA 2025 | 7123(c)(7) |
| US - TX DIR Control Standards 2.0 | AU-9 |
| US - TX TX-RAMP Level 1 | AU-9 |
| US - TX TX-RAMP Level 2 | AU-9 |
EMEA (8)
| Framework | Mapping Values |
|---|---|
| EMEA Germany C5 2020 | OPS-16 |
| EMEA Israel CDMO 1.0 | 21.4 21.14 21.16 |
| EMEA Saudi Arabia CSCC-1 2019 | 2-3-1-8 2-11-1-5 2-11-2 |
| EMEA Saudi Arabia ECC-1 2018 | 2-12-3-5 2-14-3-3 |
| EMEA Saudi Arabia OTCC-1 2022 | 2-3-1-10 |
| EMEA Spain CCN-STIC 825 | 7.3.10 [OP.EXP.10] |
| EMEA UK CAF 4.0 | C1.b |
| EMEA UK DEFSTAN 05-138 | 3103 |
APAC (5)
| Framework | Mapping Values |
|---|---|
| APAC Australia Essential 8 | ML2-P3 ML2-P4 ML2-P5 ML2-P7 ML3-P3 ML3-P4 ML3-P5 ML3-P7 |
| APAC Australia ISM June 2024 | ISM-0859 ISM-0991 |
| APAC India SEBI CSCRF | PR.AA.S9 |
| APAC Japan ISMAP | 12.4.2 |
| APAC New Zealand NZISM 3.6 | 16.6.13.C.01 16.6.13.C.02 16.6.13.C.03 16.6.13.C.04 |
Americas (2)
| Framework | Mapping Values |
|---|---|
| Americas Bermuda BMACCC | 6.21 |
| Americas Canada ITSP-10-171 | 03.03.03.B 03.03.06.B 03.03.08.A |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to protect event logs and audit tools from unauthorized access, modification and deletion.
Level 1 — Performed Informally
Continuous Monitoring (MON) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Generating event logs and the review of event logs is narrowly-focused to business-critical systems and/ or systems that store, processes and/ or transmit sensitive/regulated data.
- Secure baseline configurations generate logs that contain sufficient information to establish necessary details of activity and allow for forensics analysis.
- Secure baseline configurations restrict access to event logs from privileged users to protect event logs and audit tools from unauthorized access, modification and deletion.
Level 2 — Planned & Tracked
Continuous Monitoring (MON) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for situational awareness management. o Configure alerts for critical or sensitive data that is stored, transmitted and processed on assets. o Use a structured process to review and analyze logs.
- Situational awareness management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
- Secure baseline configurations generate logs that contain sufficient information to establish necessary details of activity and allow for forensics analysis.
- IT/cybersecurity personnel:
- A log aggregator, or similar automated tool, provides an event log report generation capability to aid in detecting and assessing anomalous activities on business-critical systems.
Level 3 — Well Defined
Continuous Monitoring (MON) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Governs asset management that ensures compliance with requirements for asset management. o Leverages a Configuration Management Database (CMDB), or similar tool, as the authoritative source of IT assets. o Centrally collects logs and is protected according to the manufacturer’s security guidelines to protect the integrity of the event logs with cryptographic mechanisms. o Monitors the organization for Indicators of Compromise (IoC) and provides 24x7x365 near real-time alerting capability. o Is configured to alert incident response personnel of detected suspicious events such that incident responders can look to terminate suspicious events.
- An IT Asset Management (ITAM) function, or similar function:
- A Security Incident Event Manager (SIEM), or similar automated tool:
- Both inbound and outbound network traffic is monitored for unauthorized activities to identify prohibited activities and assist incident handlers with identifying potentially compromised systems.
Level 4 — Quantitatively Controlled
See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to protect event logs and audit tools from unauthorized access, modification and deletion.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to protect event logs and audit tools from unauthorized access, modification and deletion.
Assessment Objectives
- MON-08_A01 audit records are retained for a time period consistent with the records retention policy.
- MON-08_A02 the original content of audit records is preserved.
- MON-08_A03 the original time ordering of audit records is preserved.
- MON-08_A04 audit information is protected from unauthorized access, modification, and deletion.
- MON-08_A05 access to management of audit logging functionality is authorized to only a subset of privileged users or roles.
- MON-08_A06 personnel or roles to be alerted upon detection of unauthorized access, modification or deletion of audit information is/are defined.
- MON-08_A07 organization-defined personnel or roles are alerted upon detection of unauthorized access, modification or deletion of audit information.
Technology Recommendations
Micro/Small
- Secure Baseline Configurations (SBC)
- Role Based Access Control (RBAC)
Small
- Secure Baseline Configurations (SBC)
- Role Based Access Control (RBAC)
Medium
- Secure Baseline Configurations (SBC)
- Role Based Access Control (RBAC)
Large
- Secure Baseline Configurations (SBC)
- Role Based Access Control (RBAC)
Enterprise
- Secure Baseline Configurations (SBC)
- Role Based Access Control (RBAC)