Organizations should create a logging policy that includes event log requirements, protection, and handling of log data. Event logs include user IDs, system activities, dates, times, relevant events and their details, device IDs, system identifiers, locations, network addresses, and agreements. Users should not delete logs of their activities, and controls should protect against unauthorized changes, such as alterations, edits, deletions, or failure to record events. Logs should be archived when necessary, and de-identified when sent to vendors. Log analysis should identify unusual or anomalous behavior through predetermined rules, trend or pattern analysis, and monitoring activities that review successful and unsuccessful attempts to access protected resources, examine usage reports, and correlate logs.
Conformance1
Tools for conforming to standards, goals and processes
