Requirement:
The cybersecurity requirements for event logs and monitoring management must include at least the following:
Sub-Controls:
2-12-3-1:
Requirement:
Activation of cybersecurity event logs on critical information assets.
Control Implementation Guidelines:
- Define and document the requirements of this ECC in the cybersecurity requirements document and approve them by the representative
- Activate cybersecurity event logs on critical information assets in the organization, which may include, but are not limited to, the following:
- Network Devices
- Applications
- Databases
- Servers
- Workstations (through the protection system)
- Activate these records through the configuration of the previously mentioned devices and systems that can be controlled through their control panel
- Develop rules in SIEM system to enable the monitoring team to monitor the activated records of critical information assets (after linking them)
Expected Deliverables:
- A document (such as approved policy or procedure) indicating the identification and documentation of the requirements related to this control
- A screenshot or a direct example from the control panel of the mentioned systems that indicates the activation of event logs
- Screenshot or a direct example showing the activation of logs through SIEM
2-12-3-2:
Requirement:
Activation of cybersecurity event logs on remote access and privileged user accounts.
Control Implementation Guidelines:
- Define and document the requirements of this ECC in the cybersecurity requirements document and approve them by the representative
- Activate cybersecurity event logs of privileged access accounts (e.g., database and systems management)
- Information assets, so that all changes made through them are recorded and archived
- Remote access events, as these processes must only be for the necessary cases and any remote access must be recorded to follow up on the changes made
- Develop a number of rules in the SIEM system so that the special team can monitor the activated logs of privileged access accounts (after linking them)
Expected Deliverables:
- A document (such as approved policy or procedure) indicating the identification and documentation of the requirements related to this control
- Screenshot or a direct example showing the activation of logs for some privileged access accounts on the access management system
- Screenshot or a direct example showing the activation of logs through SIEM
- Screenshot or a direct example showing the activation of logs for some privileged access accounts on the remote access system
- Screenshot or a direct example showing the activation of logs through SIEM
2-12-3-3:
Requirement:
Identification of required technologies (e.g., SIEM) for cybersecurity event logs collection.
Control Implementation Guidelines:
- Define and document the requirements of this ECC in the cybersecurity requirements document and approve them by the representative
- Provide the necessary technologies (SIEM) to collect cybersecurity event logs
- Define the scope of devices, systems, and applications that are linked to SIEM based on their sensitivity, including but not limited to:
- Workstations (through the protection system)
- Applications
- Databases
- Network Devices
- Servers
- Connect all the organization's critical devices and systems, including those previously mentioned to the Security Information and Event Management System (SIEM)
- Review the periodic linkage of the organization's devices and systems to ensure that all the aforementioned scope and any systems and devices found in the organizations are covered
Expected Deliverables:
- A document (such as approved policy or procedure) indicating the identification and documentation of the requirements related to this control
- A visit to the organization's Security Operations Center (if any), where the SIEM is viewed directly
- A report showing the connection of all the organization's devices and systems with the SIEM system (including but not limited to a list in Excel or electronic version) and highlighting the addition of any new devices or systems in the organization
- A contract explaining the above if the Security Operations Center is by a service provider
2-12-3-4:
Requirement:
Continuous monitoring of cybersecurity events
Control Implementation Guidelines:
- Define and document the requirements of this ECC in the cybersecurity requirements document and approve them by the representative
- Identify a team for continuous monitoring of cybersecurity event logs or SIEM and approve the 24/7 monitoring model, so that monitoring is performed around the clock on all days of the week
- This team may consist of the organization's employees or by contracting an external monitoring service
- If an external service is contracted for monitoring, the access location of the organization's SIEM system in the Kingdom, taking into consideration that this system is also available within the Kingdom
Expected Deliverables:
- A document (such as approved policy or procedure) indicating the identification and documentation of the requirements related to this control
- Organization's shift breakdown table covering the approved monitoring model
- A contract showing the monitoring model followed if the security operations center or the monitoring is provided by a service provider
2-12-3-5:
Requirement:
Retention period for cybersecurity event logs (must be 12 months minimum).
Control Implementation Guidelines:
- Define and document the requirements of this ECC in the cybersecurity requirements document and approve them by the representative
- Define the retention period for cybersecurity event logs to be at least 12 months through SIEM management configurations
- Provide enough space to keep these records
- Review stored records periodically to ensure that records that have not been kept for less than one year have not been replaced by the latest and increase the size of the area if this occurs
Expected Deliverables:
- A document (such as approved policy or procedure) indicating the identification and documentation of the requirements related to this control
- A screenshot or direct directory from the SIEM system showing record-keeping configuration for at least 12 months
- A sample of stored logs extracted from the SIEM system where records have been kept for at least 12 months
Quick & Simple
Discover Our Cybersecurity Compliance Solutions:
Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you
CMMC Level 1 Compliance
Become compliant, provide compliance services, or verify partner compliance with CMMC Level 1 Basic Safeguarding of Covered Contractor Information Systems requirements.
NIST SP 800-171 & CMMC Level 2 Compliance
Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC Level 2 requirements.
HIPAA Compliance
Become compliant, provide compliance services, or verify partner compliance with HIPAA security rule requirements.
ISO 27001 Compliance
Become compliant, provide compliance services, or verify partner compliance with ISO 27001 requirements.
FAR 52.204-21 Compliance
Become compliant, provide compliance services, or verify partner compliance with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems requirements.