π‘Logging and Monitoring
π§ Planning:
Assessed system logging and security event monitoring practices for critical applications and infrastructure components. The control was reviewed as part of a security-focused ITGC audit, emphasizing proactive detection and incident response.
π― Objectives:
-
Verify system and security logs are generated, stored, and reviewed
-
Assess the effectiveness of log retention and integrity controls
-
Evaluate incident alerting, escalation, and investigation workflows
-
Confirm coverage of key systems by Security Information and Event Management (SIEM)
π Procedures:
-
Reviewed logging configuration on selected systems (AD, ERP, firewall)
-
Verified integration with SIEM for real-time monitoring
-
Assessed log retention policies and backup of critical logs
-
Examined incident tickets triggered by alerting mechanisms
-
Tested access restrictions to sensitive logs
π Working Papers:
-
WP-ITGC-LM001: Logging and monitoring control analysis
-
System log configurations, SIEM dashboards, incident reports
π Findings:
-
β Key application server logs were not forwarded to SIEM
-
β Retention policy for security logs did not meet 12-month minimum requirement
-
β οΈ No documented procedures for log review by system owners
-
β οΈ Two high-priority alerts were not escalated due to misconfigured thresholds
π§° Tools Used:
SIEM (Splunk), system event logs, ticketing system, security policy documentation
β Recommendations:
-
Ensure all critical servers and applications are connected to the SIEM
-
Update log retention settings to meet policy and regulatory expectations
-
Define and assign log review responsibilities to appropriate owners
-
Tune alert thresholds to reduce false negatives and missed escalations
-
Implement regular audits of log access and configuration changes
