Telemetry + audit: who used what, when
Demonstrate that all access to critical systems and sensitive data is logged with sufficient detail to establish accountability, support incident response, and detect unauthorized activity through complete attribution of actions to individual users.
Description
What this control does
This control requires the implementation of comprehensive logging and auditing mechanisms that capture user access to sensitive systems, data, and applications, recording the identity of the user (who), the resource accessed or action performed (what), and the timestamp (when). Telemetry data is centrally collected, retained for a defined period, and protected from unauthorized modification or deletion. This enables forensic investigation, compliance reporting, and detection of anomalous or unauthorized activities across the enterprise environment.
Control objective
What auditing this proves
Demonstrate that all access to critical systems and sensitive data is logged with sufficient detail to establish accountability, support incident response, and detect unauthorized activity through complete attribution of actions to individual users.
Associated risks
Risks this control addresses
- Insider threats performing unauthorized data exfiltration without detection due to insufficient activity logging
- Compromised accounts being used laterally across systems with no audit trail to detect abnormal behavior patterns
- Inability to perform root cause analysis following a security incident due to missing or incomplete access logs
- Regulatory non-compliance resulting from failure to demonstrate who accessed protected data during audit periods
- Privileged users abusing administrative access without accountability mechanisms to deter or detect misuse
- Log tampering or deletion by attackers to cover tracks after compromise, eliminating forensic evidence
- Delayed breach detection due to lack of centralized telemetry enabling correlation of suspicious access patterns across systems
Testing procedure
How an auditor verifies this control
- Obtain and review the organization's logging and audit policy, including scope of systems covered, data retention requirements, and log protection mechanisms
- Inventory all critical systems, applications, and data repositories to establish the universe of resources requiring audit logging
- Select a representative sample of systems from the inventory spanning different technology types (databases, cloud services, network devices, privileged access management tools)
- Examine logging configurations for each sampled system to verify user identification, resource/action capture, and timestamp accuracy with timezone information
- Review access to the logging infrastructure itself to confirm segregation of duties and protection against unauthorized modification or deletion
- Request and analyze sample audit logs from the past 30 days, verifying the presence of who/what/when fields and confirming logs are forwarded to centralized SIEM or log management platform
- Test log integrity by attempting to identify any gaps in timestamp sequences or missing events during known access periods
- Validate log retention by confirming availability of historical logs meeting regulatory or policy-defined retention periods and verify backup/archive procedures
Where this control is tested