Monitoring and Logging
Understand the hand-off of ownership and responsibility in terms of what the CSP is responsible for versus theCSC.
Understand all the risks so that the CSC can look for the logs that can alert to these risks.
Understand the monitoring and logging tools the CSC is using that are provided by their CSP. Understand what functionality is turned on/off in those tools.
Ensure the CSC can access the logs as needed.
Understand how the logs are being provided and where they are stored.
Ensure the logs are consumable.
Understand who has access to the logs and what level of access and permissions are configured
Ensure the logs are protected and can be accessed only by approved and authorized personnel.
Review the Access Management Credential report for unauthorized users and resource tagging for unauthorized devices.
Understand if there are additional tools being used to supplement the CSP out-of-thebox logs.
Confirm aggregation and correlation of event data from multiple sources.
Understand how the CSC is using the CSP provided logs
Understand ways the CSC is analyzing these logs that is different from the on-premises environment (ifpresent).
Understand the input logs and ensure they are being consumed into the security incident manager.
Verify that logging mechanisms are configured to send logs to a centralized server, and ensure that for compute instances the proper type and format of logs are retained in a similar manner as with physical systems.
Ensure CSC’s employees have the right skills and knowledge to configure the logs correctly, and analyze and act on them.
Identify applicable compliance requirements and review third-party attestation report to ensure those requirements are covered.
Understand the relevant types of instances the CSC cares about that show up.
To ensure completeness and accuracy, test the relevant transaction types by recreating instances to prove that the instances will actually show in the logs.
Ensure the logs comply with policy.
Review logging and monitoring policies and procedures for adequacy, retention, defined thresholds and secure maintenance, specifically for detecting unauthorized activity for cloud services.
Validate that audit logging is being performed on the guest OS and critical applications installed on compute instances and that implementation is in alignment with CSC policies and procedures, especially as it relatesto the storage, protection, and analysis of the logs.
Ensure analytics of events are utilized to improve defensive measures and policies.
Ensure the logs inform incident response.
Review host-based IDS on the compute instances in a similar manner as with physical systems.
Review evidence on where information on intrusion detection processes can be reviewed
Last updated