📡Logging and Monitoring
🧭 Planning:
Assessed system logging and security event monitoring practices for critical applications and infrastructure components. The control was reviewed as part of a security-focused ITGC audit, emphasizing proactive detection and incident response.
🎯 Objectives:
-
Verify system and security logs are generated, stored, and reviewed
-
Assess the effectiveness of log retention and integrity controls
-
Evaluate incident alerting, escalation, and investigation workflows
-
Confirm coverage of key systems by Security Information and Event Management (SIEM)
📌 Procedures:
-
Reviewed logging configuration on selected systems (AD, ERP, firewall)
-
Verified integration with SIEM for real-time monitoring
-
Assessed log retention policies and backup of critical logs
-
Examined incident tickets triggered by alerting mechanisms
-
Tested access restrictions to sensitive logs
📑 Working Papers:
-
WP-ITGC-LM001: Logging and monitoring control analysis
-
System log configurations, SIEM dashboards, incident reports
📊 Findings:
-
❗ Key application server logs were not forwarded to SIEM
-
❗ Retention policy for security logs did not meet 12-month minimum requirement
-
⚠️ No documented procedures for log review by system owners
-
⚠️ Two high-priority alerts were not escalated due to misconfigured thresholds
🧰 Tools Used:
SIEM (Splunk), system event logs, ticketing system, security policy documentation
✅ Recommendations:
-
Ensure all critical servers and applications are connected to the SIEM
-
Update log retention settings to meet policy and regulatory expectations
-
Define and assign log review responsibilities to appropriate owners
-
Tune alert thresholds to reduce false negatives and missed escalations
-
Implement regular audits of log access and configuration changes
