3.3.3 has a weight of -1 points
(Audit and Accountability Family) 3/9
Review and update logged events.
Video
Example of Sysytem Security Plan (SSP):
Control 3.3.3 – Review and Update Logged Events
Implementation:
-
System Integration: The SIEM tool is deployed across all company endpoints, including Azure AD and Microsoft GGC.
-
Change Control Board (CCB): The CCB meets quarterly to discuss all security-related concerns within the organization. The CCB’s responsibilities encompass:
- Approving system alterations or upgrades that influence information security.
- Setting and refining criteria for Monitorable events.
- Recording changes made to the audit criteria.
-
Review Schedule: The company adheres to a structured review timeline for logged events. Reviews take place quarterly, semi-annually, or annually, contingent upon the associated criticality and risk of particular event types.
-
Quarterly Review (Prioritized due to high criticality or risk):
- Failed Login Attempts: Multiple unsuccessful attempts could signal a brute-force attempt or unauthorized access.
- Changes to User Privileges: Unjustified elevation in user rights might pose significant security threats.
- Configuration Changes in Critical Systems: Alterations to essential system configurations can jeopardize security and operational consistency.
- Unusual Data Transfers: Bulky or atypical data transfers, notably those leaving the company, could indicate data breaches or exfiltration.
- Security Patch Failures: A system becomes susceptible if a crucial security patch isn’t successfully installed.
-
Semi-Annual Review (Moderate frequency, pertaining to medium criticality events):
- Inactive User Accounts: Idle accounts are potential security hazards, especially if they retain access to crucial resources.
- Software Installation Logs: Supervising software installations can pinpoint unauthorized or malicious software.
- Database Access Logs: Periodic assessments can detect anomalous or unauthorized access trends.
- VPN Access Logs: Monitoring access points and timings can reveal potential unsanctioned entries.
-
Annual Review (Less frequent, targeting events of reduced immediate criticality but still vital for extended tracking):
- User Training and Awareness Logs: Confirm completion of obligatory cybersecurity training for all employees.
- Hardware Inventory Changes: Continuously account for all physical devices to ensure none are missing.
- Routine System Performance Logs: Useful in discerning persistent performance patterns or emerging inefficiencies.
- Backup and Restoration Logs: Validate that backups occur at scheduled intervals and that restoration trials are conducted regularly.
-
-
Incident Analysis: All logged events undergo thorough examination to gauge their value in incident responses and forensic investigations, ensuring events provide ample data for in-depth analysis and problem-solving.
-
Documentation: Any modifications to the logged events, whether additions, removals, or other changes, are diligently recorded in our ticketing system.
-
Implementation Solutions:
- SOCs solution oversees and audits security logs.
- Endpoint management is executed via a specialized solution, promising complete device coverage.
-
Regular Reviews: Events and incidents are deliberated during the quarterly risk management meetings. Real-time event monitoring is orchestrated by both IT and facility technical systems, along with the ticketing system, assuring prompt reactions and interventions as scenarios unfold.
Example of Plan of Action and Milestones ( POA & M):
Plan of Action and Milestones (POA&M)
Control 3.3.3 – Review and Update Logged Events
Milestone 1: Integration & Deployment
- Action: Ensure the SIEM tool is integrated across all company endpoints.
- Responsible Party: IT Department
- Due Date: [Enter Date]
Milestone 2: Change Control Process
- Action: Hold quarterly CCB meetings to deliberate security-related matters.
- Approve relevant system changes.
- Define and refine monitorable event criteria.
- Document audit criteria changes.
- Responsible Party: Change Control Board (CCB)
- Due Date: Quarterly
Milestone 3: Review Schedule Adherence
- Action: Conduct a systematic review of logged events.
- Quarterly: Review events of high criticality/risk.
- Semi-Annually: Assess medium criticality/risk events.
- Annually: Examine events of low immediate criticality.
- Responsible Party: IT Security Team
- Due Date: As per event criticality
RELEVANT INFORMATION:
The intent of this requirement is to periodically reevaluate which logged events will continue to be included in the list of events to be logged. The event types that are logged by organizations may change over time. Reviewing and updating the set of logged event types periodically is necessary to ensure that the current set remains necessary and sufficient.
Resources to consider:
Security Policy Document:
This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.
Asset Inventory and Access Control Sheet:
Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.
User Account Management Log:
Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.
Password and Multi-Factor Authentication Policy:
Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.
Process and Script Accountability Log:
Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.
Device Access Control and VPN Policy:
Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.
Access Control Review and Monitoring Schedule:
Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.
User Training and Awareness Materials:
Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.