13.2.3 Collection of Evidence
Managing problems and incidents addresses how an organization identifies documents and responds to events that fall outside of normal operations. Organizations must maintain a complete and accurate audit trail for network devices, servers and applications, This enables organizations to address how business identify root causes of issues that may introduce inaccuracy in reporting. Also, problem management system must provide for adequate audit trail facilities that allow tracing from incident to underlying cause.
Monitor any account management activities such as user or group addition or deletion or modification to ensure that all user access privileges are appropriate and approved. Set up real-time alerts to detect any unauthorized or unapproved changes to users or groups. Audit trails related to user creation and deletion of system-level objects, for example, a file, folder, registry key, printer, and others, are critical in the troubleshooting and forensic analysis processes.
To achieve this control objective, administrators must ensure all network devices, servers, and applications are properly configured to log to a centralized server. Administrators must also periodically review logging status to ensure that these devices, servers and applications are logging correctly.
Record at least the following audit trail entries for each event, for all system components:
- Use of identification and authentication mechanisms
- Creation and deletion of system-level objects.
- Record at least the following audit trail entries for each event, for all system components:
Retain your audit trail history for a period that is consistent with its effective use, as well as legal regulations.
Reports and Alerts
Use the following link/reference to see the 13.2.3 reports and alerts: TIBCO LogLogic Reports and Alerts Quick Reference.