14.9: Enforce Detail Logging for Access or Changes to Sensitive Data

Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring).

Asset Type

Security Function

Implementation Groups

Data

Detect

3

Dependencies

  • Sub-control 1.4: Maintain Detailed Asset Inventory

  • Sub-control 1.5: Maintain Asset Inventory Information

  • Sub-control 2.1: Maintain Inventory of Authorized Software

  • Sub-control 2.5: Integrate Software and Hardware Asset Inventories

Inputs

  1. The list of endpoints

  2. The list of authorized software

  3. The list of sensitive information

Operations

  1. Enumerate all endpoints storing sensitive information using the endpoint inventory and the sensitive information inventory

  2. For each identified endpoint, examine its configuration as follows noting appropriately and inappropriately configured endpoints along the way:

    1. Detailed audit logging is enabled for access to sensitive data

    2. Detailed audit logging is enabled for changes to sensitive data

  3. Enumerate appropriately configured endpoints

  4. Enumerate inappropriately configured endpoints

  5. Enumerate endpoints inappropriately configured to log access to sensitive data

  6. Enumerate endpoints inappropriately configured to log changes to sensitive data

Measures

  • M1 = List of all endpoints storing sensitive information

  • M2 = List of appropriately configured endpoints (those that have detailed audit logging enabled for access and changes to sensitive data)

  • M3 = List of inappropriately configured endpoints (those that do not have detailed audit logging enabled for access or changes to sensitive data)

  • M4 = List of endpoints inappropriately configured to log access to sensitive data

  • M5 = List of endpoints inappropriately configured to log changes to sensitive data

  • M6 = Count of endpoints storing sensitive information (count of M1)

  • M7 = Count of appropriately configured endpoints (count of M2)

  • M8 = Count of inappropriately configured endpoints (count of M3)

  • M9 = Count of endpoints inappropriately configured to log access to sensitive data (count of M4)

  • M10 = Count of endpoints inappropriately configured to log changes to sensitive data (count of M5)

Metrics

Coverage

Metric
The ratio of appropriately configured endpoints to the total number of endpoints storing
sensitive information

Calculation

M7 / M6