12 - Monitoring and auditing
Monitoring and auditing establish the necessary controls to detect and respond to security events and to provide evidence of compliance with the disclosed business practices. The events and logs typically serves as a basis for incident response and forensic analysis in case of security incidents, however, they can also be used for other purposes, such as performance analysis, capacity planning, and troubleshooting.
Monitoring and auditing provide reasonable assurance that:
- Unauthorized PKI system usage is detected
- Critical high impact events are monitored
- Appropriate logs are collected and relevant issues are alerted
- The confidentiality and integrity of current and archived audit logs are maintained for the required period of time
- Audit logs are completely and confidentially archived in accordance with disclosed business practices
- Events and logs are reviewed periodically by authorized personnel
The outputs from the monitoring and auditing activities are typically used as inputs for the risk assessment and management activities, including incident response management and investigation of high impact events.
Category maturity levels description
| Maturity level | Description |
|---|---|
| 1 - Initial | There is no or limited monitoring and auditing capabilities in place. |
| 2 - Basic | Logs are collected, however, they are not reviewed, nor correlated with other records. |
| 3 - Advanced | Documeneted requirements for monitoring and auditing are defined and implemented. Logs are centrally collected and correlated with other records. |
| 4 - Managed | Centrally collected logs are reviewed and monitored periodically according to documented policy and requirements. Audit trail can be constructed for critical events from audit logs. |
| 5 - Optimized | Monitoring and auditing requirements are periodically reviewed and improved. Documented policy and system requirements are in place and followed. Critical events are immediately alerted and resolved according to incident response plans. |
Requirements
| # | Requirement | Weight |
|---|---|---|
| 1 | Monitoring events and logging requirements are defined and documented | 4 |
| 2 | Event logs from systems are collected | 4 |
| 3 | Audit trail can be reconstructed from audit logs | 5 |
| 4 | Monitoring of operational and security events is implemented | 5 |
| 5 | Critical events are immediately alerted and resolved according to incident response plans | 3 |
| 6 | Review of events and logs is periodically performed | 2 |
Details
Monitoring events and logging requirements are defined and documented
Guidance
The monitoring and logging requirements should be defined and documented in the CP, CPS, or other relevant documents. The requirements should be aligned with the overall PKI policies and statements, and should be based on the risk assessment and management activities.
The requirements can typically include:
- Events to be monitored
- Frequency of monitoring
- Logs to be collected
- Retention period for logs
- Audit trail requirements
- Audit log protection requirements
- Formatting and interpretation of logs (syslog, JSON, XML, CEF, etc.)
- And other relevant requirements
Assessment
- Documented monitoring and logging requirements
- Policies and procedures for monitoring and logging
- Review of records
- Interviews with personnel
References
- ISO/IEC 27001 - Information security management systems
- ISO/IEC 20000 and related standards
- ISO/IEC 27099 - Public key infrastructure
Event logs from systems are collected
Guidance
The event logs from systems should be collected and available for analysis, including correlation with other records. Centralized logging is recommended to ensure that the logs are collected and stored consistently. Solution like security information and event management (SIEM) can be used to collect and analyze the logs.
The availability of records for analysis depends on understanding logging format and interpretation of the information, therefore each system should provide logs in a consistent format that can be further processed and analyzed (or automated).
Logs and events should be collected from all systems that are relevant for the PKI implementation, such as key life cycle management events.
The event should contain sufficient information to identify the event, including:
- User identification
- Type of event
- Date and time
- Success or failure indication
- Origination of event
- Identity or name of affected data, system component, or resource
- Additional details
Assessment
- Logs are collected from systems
- Logs have a consistent format and can be further processed and analyzed
- Review of records and their formatting
- Review of configuration standards for logging
- Interviews with personnel to check the understanding of logging format and interpretation of the information
References
- ISO/IEC 27001 - Information security management systems
- ISO/IEC 20000 and related standards
- NIST - Guide to Computer Security Log Management
- ISO/IEC 27099 - Public key infrastructure
Audit trail can be reconstructed from audit logs
Guidance
Audit logging should be implemented to ensure that the audit trail can be reconstructed from audit logs any time. Audit logs are typically recorded for any user executed events that are important for security of the PKI implementation. Audit logs should be stored in a secure location. The audit logs should be protected against unauthorized access, modification, and deletion.
Typically, the following events are important for security of the PKI implementation:
- All individual user accesses to sensitive data
- All actions taken by any individual with root or administrative privileges
- Access to all audit trails
- Invalid logical access attempts
- Use of and changes to identification and authentication mechanisms - including but not limited to creation of new accounts and elevation of privileges - and all changes, additions, or deletions to accounts with root or administrative privileges
- Initialization, stopping, or pausing of the audit logs
- Creation and deletion of system-level objects
Assessment
- Audit trail can be reconstructed from audit logs
- Audit logs are stored in a secure location
- Audit logs are protected against unauthorized access, modification, and deletion
- Review of records
- Interviews with personnel to understand the audit logging implementation
References
- RFC 3647 - Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework
- NIST - Guide to Computer Security Log Management
- ISO/IEC 27001 - Information security management systems
- ISO/IEC 27099 - Public key infrastructure
Monitoring of operational and security events is implemented
Guidance
Monitoring of operational and security events should be implemented to ensure that the PKI implementation is operating as expected and that the security events are detected and responded to in a timely manner and that evidence of any malicious event is identified. The monitoring should be implemented for all critical systems and components, including the CA, RA, OCSP, HSM, and other relevant systems.
Monitoring should be aligned with the monitoring and auditing requirements defined in the CP, CPS, and other relevant documents. The monitoring should be implemented to ensure that the requirements are met.
Assessment
- Monitoring of operational and security events is implemented according to the requirements
- Review of monitoring implementation, including CA key life cycle management related events, security sensitive events, and other relevant events
- Review of monitoring events and alerts
- Interviews with personnel responsible for monitoring
References
- ISO/IEC 27001 - Information security management systems
- ISO/IEC 20000 and related standards
- ISO/IEC 27099 - Public key infrastructure
Critical events are immediately alerted and resolved according to incident response plans
Guidance
Critical events should be immediately alerted and resolved according to incident response plans. Monitoring implementation should ensure that critical events are detected and alerted in a timely manner. This can be done manually or in an automated way.
Assessment
- Review of requirements for alerting on critical event, including security sensitive events
- Review of monitoring implementation
- Review of documentation of critical events
- Interviews with personnel to check the understanding of critical events and their handling
References
- ISO/IEC 27001 - Information security management systems
- ISO/IEC 20000 and related standards
- ISO/IEC 27099 - Public key infrastructure
Review of events and logs is periodically performed
Guidance
Logs and events should be reviewed frequently, preferably automatically, to determine security related issues, potential systems failure, identify anomalies or suspected activity. Regular review should be confirmed by authorized personnel who can proactively identify issues before they become problems.
The review of logs and events should be performed periodically and the frequency should be based on the risk assessment. Any potential issues should be reported and resolved according to the incident response plans.
Assessment
- Review of logs and events is performed periodically
- Review of logs and events is performed according to the requirements
- Review of logs and events is confirmed by authorized personnel
- Interview with personnel responsible for review of logs and events
