Back to T3.6.3 - P1 - MONITORING SYSTEM USE
The level of monitoring required for individual systems should be determined by a risk assessment. An entity should comply with all relevant legal requirements applicable to its monitoring activities. Areas that should be considered include:
A. Authorized access, including detail such as:
- The user ID
- The date and time of key events
- The types of events
- The files accessed
- The program/utilities used
B. All privileged operations, such as
- Use of privileged accounts, e.g. supervisor, root, administrator
- System start-up and stop
- I/O device attachment/detachment
- Deleting, creating and granting privileges activities
C. Unauthorized access attempts, such as:
- Failed or rejected user actions
- Failed or rejected actions involving data and other resources
- Access policy violations and notifications for network gateways and firewalls
- Alerts from proprietary intrusion detection systems
D. System alerts or failures, such as:
- Console alerts or messages
- System log exceptions
- Network management alarms
- Alarms raised by the access control system
E. Database activities, such as:
- Use of privileged accounts
- Backup / restore
- Failed or rejected user actions
F. Changes to, or attempts to change, system security settings and controls.
How often the results of monitoring activities are reviewed should depend on the risks involved. Risk factors that should be considered include the:
A. Criticality of the application processes
B. Value, sensitivity, and criticality of the information involved
C. Past experience of system infiltration and misuse, and the frequency of vulnerabilities being exploited
D. Extent of system interconnection (particularly public networks)
E. Logging facility being de-activated
