Access logging and audit
Demonstrate that all critical systems and applications generate, protect, retain, and review access logs capturing authentication events, authorization decisions, and resource access activities with sufficient detail to support security investigations and accountability.
Description
What this control does
Access logging and audit controls ensure that all access attempts, successful or failed, to systems, applications, and data are captured in tamper-evident logs with sufficient detail to identify who accessed what, when, from where, and what actions were performed. These logs must include timestamps synchronized to a reliable time source, user or process identifiers, source addresses, resource identifiers, and the outcome of each access attempt. Comprehensive access logging enables security monitoring, forensic investigation, compliance validation, and accountability enforcement across the IT environment.
Control objective
What auditing this proves
Demonstrate that all critical systems and applications generate, protect, retain, and review access logs capturing authentication events, authorization decisions, and resource access activities with sufficient detail to support security investigations and accountability.
Associated risks
Risks this control addresses
- Unauthorized access goes undetected because no audit trail exists to identify intrusion attempts or successful breaches
- Insider threats cannot be investigated or prosecuted due to insufficient logging of privileged user activities
- Compliance violations occur when regulatory requirements for access logging and retention are not met
- Attackers modify or delete audit logs to cover their tracks after compromising systems lacking log integrity protections
- Security incidents cannot be reconstructed or root-caused because logs lack sufficient detail about user actions and system changes
- Failed authentication attempts indicating brute-force or credential-stuffing attacks are not logged or analyzed
- Excessive retention costs and privacy violations result from logging unnecessary sensitive data without proper log content filtering
Testing procedure
How an auditor verifies this control
- Obtain and review the organization's access logging policy and standards document identifying which systems, applications, and data categories require audit logging
- Select a representative sample of in-scope systems spanning infrastructure (servers, network devices), applications (databases, web applications, SaaS platforms), and security controls (firewalls, IAM systems)
- Review the logging configuration for each sampled system to verify that successful and failed authentication events, authorization decisions, and data access operations are captured
- Examine sample log entries from each system to confirm presence of required fields including timestamp, user identifier, source IP or hostname, target resource, action performed, and outcome status
- Verify that log timestamps are synchronized to a centralized authoritative time source (NTP server) by comparing log timestamps across multiple systems
- Test log integrity protections by attempting to modify or delete archived logs and confirming that write-once storage, cryptographic signing, or centralized log forwarding prevents tampering
- Review log retention schedules and verify that logs are retained for the period specified by policy, regulatory requirements, or contractual obligations through examination of archived logs
- Interview security operations or compliance personnel to confirm that access logs are periodically reviewed for anomalies and that documented evidence of log review activities exists for the audit period