loglogic iso/iec 27002 compliance suite guidebook€¦ · · 2012-12-10loglogic, inc. proprietary...

LogLogic, Inc. Proprietary and Confidential

LogLogic

ISO/IEC 27002 Compliance Suite Guidebook

Software Release: 3.2

Document Release: March 2011

Part No: LL42004-00E032000

This manual supports ISO/IEC 27002 Compliance Suite Software Release 3.2 and later releases until replaced by a newer edition.

LogLogic, Inc. Proprietary and Confidential

LogLogic, Inc.

110 Rose Orchard Way St. 200

San Jose, CA 95134

Tel: +1 408 215 5900

Fax: +1 408 774 1752

U.S. Toll Free: 888 347 3883

Email: [email protected]

www.loglogic.com

© 2006, 2007, 2008, 2009, 2010, 2011 LogLogic, Inc.

Proprietary Information

This document contains proprietary and confidential information of LogLogic, Inc. and its licensors. In accordance with the license, this document may not be copied, disclosed, modified, transmitted, or translated except as permitted in writing by LogLogic, Inc.

Trademarks

"LogLogic" and the LogLogic logo are trademarks of LogLogic, Inc. in the United States and/or foreign countries. All other company product names are trademarks or registered trademarks of their respective owners.

Notice

The information contained in this document is subject to change at any time without notice. All warranties with respect to the software and accompanying documentation are set our exclusively in the Software License Agreement or in the Product Purchase Agreement that covers the documentation.

ISO/IEC 17799 Complian

Contents

Preface: About This Guide

Technical Support Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Documentation Support Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Contact Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Chapter 1: Understanding Compliance Requirements and Options

Establishing IT Controls for ISO/IEC 27002 Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Key Elements of ISO/IEC 27002 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

What is the LogLogic Compliance Suite: ISO/IEC 27009 Edition . . . . . . . . . . . . . . . . . . . 10

Compliance Categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Identity and Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Monitoring and Reporting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Change Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Security Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Availability Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Continuity Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Satisfied ISO/IEC 27002 Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Chapter 2: ISO/IEC 27002 Controls

Section 8 - Human Resources Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

8.1.1 Roles and Responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Illustrative Controls and Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Reports and Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

8.3.3 Removal of Access Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Illustrative Controls and LogLogic Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16


Section 10 - Communications and Operations Management . . . . . . . . . . . . . . . . . . . . . . 17

10.1.2 Change Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17



10.1.3 Segregation of Duties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18



10.1.4 Separation of Development, Test, and Operational Facilities. . . . . . . . . . . . . . 19



10.2.2 Monitoring and Review of Third Party Services . . . . . . . . . . . . . . . . . . . . . . . . 20

ce Suite Guidebook 3

CONTENTS



10.3.1 Capacity Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20



10.4.1 Controls Against Malicious Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21


10.4.2 Controls Against Mobile Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21



10.5.1 Information Backup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22



10.6.1 Network Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23


10.6.2 Security of Network Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23



10.8.4 Electronic Messaging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24



10.10.1 Audit Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24


10.10.2 Monitoring System Use. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24



10.10.3 Protection of Log Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25



10.10.4 Administrative and Operator Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25



10.10.5 Fault Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26



10.10.6 Clock Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26



Section 11 - Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

11.2.1 User Registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28


11.2.2 Privilege Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28


4 ISO/IEC 17799 Compliance Suite Guidebook

CONTENTS

11.2.3 User Password Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29


11.2.4 Review of User Access Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29


11.3.1 Password Use. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30


11.4.1 Policy on Use of Networked Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30


11.4.2 User Authentication for External Connections . . . . . . . . . . . . . . . . . . . . . . . . . 31



11.4.4 Remote Diagnostic and Configuration Port Protection . . . . . . . . . . . . . . . . . . . 31



11.4.7 Network Routing Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32



11.5.1 Secure Log-on Procedures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32



11.5.2 User Identification and Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33



11.5.3 Password Management System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33


11.5.4 Use of System Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33



11.6.1 Information Access Restriction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Illustrative Controls and Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34


11.6.2 Sensitive System Isolation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34



Section 12 - Information Systems Acquisition, Development and Maintenance . . . . . . . . 35

12.4.1 Control of Operational Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35


12.4.3 Access Control to Program Source Code. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35



12.5.1 Change Control Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35


ISO/IEC 17799 Compliance Suite Guidebook 5

CONTENTS

12.5.2 Technical Review of Applications After Operating System Changes . . . . . . . . 35


12.5.3 Restrictions on Changes to Software Packages. . . . . . . . . . . . . . . . . . . . . . . . 36



12.6.1 Control of Technical Vulnerabilities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36



Section 13 - Information Security Incident Management . . . . . . . . . . . . . . . . . . . . . . . . . . 37

13.1.1 Reporting Information Security Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37


13.1.2 Reporting Security Weaknesses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37


13.2.3 Collection of Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38


Section 15 - Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

15.2.2 Technical Compliance Checking. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39


15.3.1 Information Systems Audit Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39



15.3.2 Protection of Information System Audit Tools. . . . . . . . . . . . . . . . . . . . . . . . . . 40



Chapter 3: LogLogic Reports and Alerts for ISO/IEC 27002

LogLogic Reports for ISO/IEC 27002 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

LogLogic Alerts for ISO/IEC 27002 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

LogLogic Reports and Alerts Quick Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Chapter 4: Installing and Using the LogLogic Compliance Suite

Setting Up the Compliance Suite. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Prerequisites for Installing the Compliance Suite . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Installing the Compliance Suite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Using the Compliance Suite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

Working with Compliance Suite Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

Viewing Compliance Suite Reports and Output Data . . . . . . . . . . . . . . . . . . . . . 104

Customizing Compliance Suite Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

Working with Compliance Suite Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Accessing Available Compliance Suite Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Enabling Compliance Suite Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Viewing Compliance Suite Alert Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110


PREFACE:

About This Guide

The LogLogic ISO/IEC 27002 Compliance Suite Guidebook provides introduction and overview information regarding the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) 27002 standard. It also covers topics related to managing LogLogic’s ISO/IEC 27002 compliance reports, alerts, and using log data collected and aggregated from all types of source systems to monitor and report on ISO/IEC 27002 compliance.

The LogLogic ISO/IEC 27002 Compliance Suite Guidebook provides information regarding LogLogic’s International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) 27002 compliance reports, alerts, and using log data collected and aggregated from all types of source systems to monitor and report on ISO/IEC 27002 compliance.

Technical Support InformationLogLogic is committed to the success of our customers and to ensuring our products improve customers' ability to maintain secure, reliable networks. Although LogLogic products are easy to use and maintain, occasional assistance might be necessary. LogLogic provides timely and comprehensive customer support and technical assistance from highly knowledgeable, experienced engineers that can help you maximize the performance of your LogLogic Compliance Suites.

To reach the LogLogic Support team:

Telephone:

Toll Free—1-800-957-LOGS

Local—1-408-834-7480

Europe, Middle East, Africa (EMEA) or Asia Pacific (APAC): + 44 (0) 207 1170075 or +44 (0) 8000 669970

Email: [email protected]

Support Website: http://loglogic.com/services/support

When contacting LogLogic Support, be prepared to provide the following information:

Your name, email address, phone number, and fax number

Your company name and company address

Your appliance model and release version

Serial number located on the back of the Appliance or the eth0 MAC address

A description of the problem and the content of pertinent error messages (if any)


mailto:[email protected]

http://www.loglogic.com/services/support/

About This Guide : Documentation Support Information

Documentation Support InformationThe LogLogic documentation includes Portable Document Format (PDF) files. To read the PDF documentation, you need a PDF file viewer such as Adobe Acrobat Reader. You can download the Adobe Acrobat Reader at http://www.adobe.com.

Contact Information

Your feedback on the LogLogic documentation is important to us. If you have questions or comments, send email to [email protected]. In your email message, please indicate the software name and version you are using, as well as the title and document release date of your documentation. Your comments will be reviewed and addressed by the LogLogic Technical Publications team.

ConventionsThe LogLogic documentation uses the following conventions to distinguish text and information that might require special attention.

Caution: Highlights important situations that could potentially damage data or cause system failure.

IMPORTANT! Highlights key considerations to keep in mind.

Note: Provides additional information that is useful but not always essential or highlights guidelines and helpful hints.

This guide also uses the following typographic conventions to highlight code and command line elements:

Monospace is used for programming elements (such as code fragments, objects, methods, parameters, and HTML tags) and system elements (such as file names, directories, paths, and URLs).

Monospace bold is used to distinguish system prompts or screen output from user responses, as in this example:

username: system

home directory: home\app

Monospace italic is used for placeholders, which are general names that you replace with names specific to your site, as in this example:

LogLogic_home_directory\upgrade\

Straight brackets signal options in command line syntax.

ls [-AabCcdFfgiLlmnopqRrstux1] [-X attr] [path ...]


http://www.adobe.com



mailto:[email protected]

CHAPTER 1: Understanding Compliance Requirements and Options

This chapter provides some historical background and an introduction to the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It also provides details regarding the ISO/IEC 27002 standard.

Establishing IT Controls for ISO/IEC 27002 Compliance . . . . . . . . . . . . . . . . . . . . . . . . 9

What is the LogLogic Compliance Suite: ISO/IEC 27009 Edition. . . . . . . . . . . . . . . . . 10

Establishing IT Controls for ISO/IEC 27002 ComplianceInternational Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) jointly develop worldwide standards. National bodies that are members of ISO or IEC participate in the development of international standards through technical committees established by these organizations to deal with particular fields of international activity. Other international organizations, governmental and non-governmental, liaise with ISO and IEC in order to participate in the development of technical standards.

The ISO 27002 standard is the rename of the ISO 17799 standard, and is a code of practice for information security. It outlines hundreds of potential controls and control mechanisms, which may be implemented, subject to the guidance provided within ISO 27001.

The standard "established guidelines and general principles for initiating, implementing, maintaining, and improving information security management within an organization". The actual controls listed in the standard are intended to address the specific requirements identified via a formal risk assessment. The standard is also intended to provide a guide for the development of "organizational security standards and effective security management practices and to help build confidence in inter-organizational activities".

The basis of the standard was originally a document published by the UK government, which became a standard 'proper' in 1995, when it was re-published by BSI as BS7799. In 2000 it was again re-published, this time by ISO, as ISO 17799. A new version of this appeared in 2005, along with a new publication, ISO 27001. These two documents are intended to be used together, with one complimenting the other.

ISO/IEC 27002:2005, which replaces ISO/IEC 17799:2000, was released in July 2007.

ISO's future plans for this standard are focused largely around the development and publication of industry specific versions (for example: health sector, manufacturing, and so on). Note that this is a lengthy process, so the new standards will take some time to appear.


Understanding Compliance Requirements and Options : What is the LogLogic Compliance Suite: ISO/IEC 27009 Edition

ISO/IEC 17799 (now ISO/IEC 27002:2005) is one of the few accepted worldwide standards for information security. It has been adopted as a guideline by companies around the world, and the major consultancies have invested very heavily in developing ISO/IEC 17799/27002 implementation programs, including training and certification of auditors. Due to its worldwide acceptance, other standards, such as Japan’s Information Security Management System (ISMS) and ITIL's Security Management book, have based their security recommendations on ISO/IEC 17799/27002.

Key Elements of ISO/IEC 27002

ISO/IEC 27002:2005 addresses topics in terms of policies and general good practices. The document specifically identifies itself as “a starting point for developing organization specific guidance.” It states that not all of the guidance and controls it contains may be applicable and that additional controls not contained may be required. It is not intended to give definitive details or “how-to’s”. Given such caveats, the document briefly addresses the following major topics:

Security Policy

Organizing Information Security

Asset Management

Human Resources Security

Physical and Environmental Security

Communications and Operations Management

Access Control

Information Systems Acquisition, Development and Maintenance

Information Security Incident Management

Business Continuity Management

Compliance

What is the LogLogic Compliance Suite: ISO/IEC 27009 EditionThe LogLogic Compliance Suite for the ISO/IEC 27002 standard is the first solution of its kind. It delivers automated process validation, reporting and alerts based on infrastructure data to evidence and enforce business, and IT policies related to compliance. By automating compliance reporting and alerting based on critical infrastructure data collected and stored by LogLogic’s Appliances, the LogLogic Compliance Suite removes the complexity and resource requirements for implementing control frameworks like COBIT and ISO.

LogLogic’s Compliance Suite:

Automates compliance activities and dramatically improves audit accuracy.

Accelerates time to risk mitigation.

Allows organizations to use infrastructure data to provide evidence of and enforce IT controls.

Provides industry-leading reporting depth and breadth, including real-time reporting and alerting on ISO/IEC 27002 compliance.



Delivers 224 out-of-the-box Compliance Reports and 98 out-of-box Alerts with executive-level views.

Enables customization of any Compliance Report to map reports against your company’s policies.

ISO/IEC 27002 requirements were identified that can be evidenced or audited by LogLogic reports and alerts. Organizations can use the LogLogic Compliance Suite: ISO/IEC 27002 Edition to:

1. Enforce controls using LogLogic technologies

2. Show auditors alerts and reports to prove your compliance status with LogLogic

3. Monitor continuously with LogLogic to ensure continuous compliance

4. Provide auditors LogLogic unaltered evidence of log data review and follow-up

5. Provide assurances of the integrity of the log data collected and reports

Compliance Categories

Log data allows organizations to manage the extreme challenges of meeting major ISO controls. LogLogic’s compliance reports and alerts satisfy the following categories:

Identity and Access

Monitoring and Reporting

Change Management

Security Management

Availability Management

Continuity Management

Identity and Access

LogLogic Compliance Suite: ISO/IEC 27002 Edition includes reports and alerts to show that all ISO-related systems (i.e., networks, applications, and databases) are appropriately secured to prevent unauthorized use, disclosure, modification, damage or loss of data. The risks of non-compliance may result in unauthorized and/or inappropriate access to key systems, which may negatively impact the security, integrity, accuracy and completeness of information.

Monitoring and Reporting

LogLogic Compliance Suite: ISO/IEC 27002 Edition includes reports and alerts to allow customers to continuously monitor the IT infrastructure for any security violations. Reports are provided in a format meaningful to the stakeholders. The monitoring statistics should be analyzed and acted upon to identify negative and positive trends for individual services as well as for services overall.

The risks of non-compliance in this area could significantly impact service availability as well as security of the IT infrastructure, which may negatively impact the security, integrity, accuracy and completeness of information.



Change Management

LogLogic Compliance Suite: ISO/IEC 27002 Edition includes reports and alerts to show that all systems and system changes are appropriately requested, approved, tested, and validated by authorized personnel prior to implementation to the production environment. These reports and alerts can also show that division of roles and responsibilities have been implemented to reduce the possibility for a single individual to subvert a critical process. Management needs to make sure that personnel are performing only authorized duties relevant to their respective jobs and positions.

The risks of non-compliance may result in unauthorized changes and/or improper roll-out of new source code to key systems. This may negatively impact the security, integrity, accuracy and completeness of information.

Security Management

LogLogic Compliance Suite: ISO/IEC 27002 Edition includes reports and alerts to show that all network security devices, including firewalls which control computer traffic into a company’s network, as well as IDS systems which monitor the computer traffic, have been configured appropriately to allow only the requested and approved traffic in and out of the network.

The risks of non-compliance may result in unauthorized access from the Internet. Often, seemingly insignificant paths to and from the Internet can provide unprotected pathways into key systems. Firewalls are a key protection mechanism for any computer network.

Availability Management

LogLogic Compliance Suite: ISO/IEC 27002 Edition includes reports and alerts to monitor the availability of critical IT infrastructure components. Alerts can be setup to monitor when critical components are sending abnormal amount of log data, which could indicate attacks on the component or that there’s system errors, or have stopped sending log data, which could indicate failure of these components.

The risk of non-compliance could significantly impact the business viability and could prevent an organization from recording transactions and thereby undermine its integrity.

Continuity Management

LogLogic Compliance Suite: ISO/IEC 27002 Edition includes reports and alerts to monitor that data are backed up on a regular basis. Reports can be automatically generated to ensure that backups and restores are performed successfully.

Deficiencies in this area could impact the resilience of the infrastructure as well as the availability of critical resources.



Satisfied ISO/IEC 27002 Controls

ISO/IEC 27002 contains over forty-eight controls that can be evidenced or audited by LogLogic reports and alerts. Although some of the controls are not directly related to log data, the LogLogic reports and alerts can be use to assist in satisfying those requirements. Routinely reviewing LogLogic reports and responding to LogLogic alerts will aid in preventing, detecting, containing and correcting security violations.

The data generated by the LogLogic Compliance Suite can be used to conduct a thorough risk analysis of the risks and vulnerabilities threatening the entity. The risk analysis can then be used to customize specific LogLogic reports and alerts that enable an entity to manage risks in a dynamic environment where risks and vulnerabilities rapidly change.

All LogLogic reports can be used to monitor regular user activity, as well as the activity and results of system and network administrators. Any activity or network configuration setting that is determined to violate security policies or procedures can result in sanctions against people, processes or resources.

All LogLogic reports and alerts directly aid an entity by allowing the regular review of information system activity. The LogLogic Compliance Suite: ISO/IEC 27002 Edition allows for the continuous monitoring of the IT infrastructure using behavioral-based alerts. Configure alerts to monitor performance of firewalls, routers, switches, servers, applications, and operating systems so they can be notified immediately of failures. Real-time reports and custom, regular-expression searches also enable administrators to quickly identify and determine the root cause of any problems. This further mitigates risk and minimizes interruptions to service availability.


CHAPTER 2:

ISO/IEC 27002 Controls

This chapter provides planning and implementation information for ISO/IEC 27002 control objectives. It also provides a brief listing of LogLogic compliance suite reports and alerts that are applicable to those objectives.

Section 8 - Human Resources Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Section 10 - Communications and Operations Management . . . . . . . . . . . . . . . . . . . . 17

Section 11 - Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Section 12 - Information Systems Acquisition, Development and Maintenance. . . . . . 35

Section 13 - Information Security Incident Management . . . . . . . . . . . . . . . . . . . . . . . 37

Section 15 - Compliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Section 8 - Human Resources Security8.1.1 Roles and Responsibilities on page 15

8.3.3 Removal of Access Rights on page 16

8.1.1 Roles and Responsibilities

Illustrative Controls and Tests

Organizations must confirm that there is appropriate segregation of duties between the staff responsible for moving a program into production and the staff responsible for developing a program. In addition, organizations must consider whether or not a change to a program is performed in a segregated and controlled environment.

To satisfy this control objective, administrators must ensure that logins to reporting servers as well as permissions assigned to these users are appropriate for the tasks they are allowed to perform. Users with overlapping permission sets should indicate a compromise in the segregation of duties control consideration. Administrators should also review the process to request and grant access to systems and data and confirm that the same person does not perform these functions.

Organizations must demonstrate that only authorized users have access to sensitive data and applications, and implement a division of roles and responsibilities that reduces the possibility for a single individual to subvert a critical process. Management also makes sure that personnel are performing only authorized duties relevant to their respective jobs and positions.

Reports and Alerts

Use the following link/reference to see the 8.1.1 reports and alerts: 8.1.1 on page 53.


ISO/IEC 27002 Controls : Section 8 - Human Resources Security

8.3.3 Removal of Access Rights

Illustrative Controls and LogLogic Solution

Auditors will sample employment records and crosscheck changes in employment against changes in access rights as identified in historical system logs. They will also crosscheck changes in shared passwords against these same employment records. Administrators will be required to demonstrate that user access privileges are modified and/or revoked in a timely manner upon job change or termination. Review reports and alerts on account activities, accounts created/deleted, group members added/deleted, and successful logins to VPN concentrators and critical servers.

Take expedient actions regarding job changes, especially job terminations. Knowledge transfer needs to be arranged, responsibilities reassigned and access rights removed such that risks are minimized and continuity of the function is guaranteed. When a person changes jobs or is terminated from a company, user access privileges must be modified according to the company’s business guidelines.

To satisfy this requirement, administrators must periodically ensure that only current and authorized employees have access to the servers and systems. Administrators must ensure that all terminated users have been disabled. In addition, administrators must ensure that logins to servers as well as permissions assigned to users who changed jobs are appropriate for the new role they are in.

To ensure the requirements listed above are met, administrators must review reports of all user deletions and group member modifications. This ensures terminated users are removed and users who changed jobs have been removed from the appropriate groups. LogLogic access reports and alerts that detail accounts and groups being removed are used to validate that access to corporate information has been terminated as part of this addressable Control. Access reports and alerts are reviewed to ensure that anyone terminated does not retain access or has any system or network activity following the termination.

Reports and Alerts



ISO/IEC 27002 Controls : Section 10 - Communications and Operations Management

Section 10 - Communications and Operations Management10.1.2 Change Management on page 17

10.1.3 Segregation of Duties on page 18

10.1.4 Separation of Development, Test, and Operational Facilities on page 19

10.2.2 Monitoring and Review of Third Party Services on page 20

10.3.1 Capacity Management on page 20

10.4.1 Controls Against Malicious Code on page 21

10.4.2 Controls Against Mobile Code on page 21

10.5.1 Information Backup on page 22

10.6.1 Network Controls on page 23

10.6.2 Security of Network Services on page 23

10.8.4 Electronic Messaging on page 24

10.10.1 Audit Logging on page 24

10.10.2 Monitoring System Use on page 24

10.10.3 Protection of Log Information on page 25

10.10.4 Administrative and Operator Logs on page 25

10.10.5 Fault Logging on page 26

10.10.6 Clock Synchronization on page 26

10.1.2 Change Management


Managing changes addresses how an organization modifies system functionality to help the business meet its reporting objectives. Deficiencies in this area may significantly impact reporting. For example, changes to the programs that allocate data to accounts require appropriate approvals and testing prior to the change to ensure classification and reporting integrity. Businesses must ensure that requests for program changes, system changes, and maintenance (including changes to system software) are standardized, documented, and subject to formal change management procedures.

Activity logs provide numerous ways to monitor system change activity to determine if change management procedures are correctly implemented and being followed under requirements 10.1.2(a), (b) and (c). Auditors will review specific change management policies and then attempt to validate that they are followed by checking documentation/email trails. They will use logs as a final validation to determine that the changes indicated in documentation were actually implemented in the manner and at the time prescribed. Specifically, administrators should:

Have reports that identify all changes to firewall and router configurations and ensure that all changes are authorized. The most efficient way to identify configuration changes is at the time of the modification.

Administrators should setup alerts so that any changes to the configuration, authorized or otherwise, are detected and notified.



Have reporting that periodically reviews all firewall rules to ensure accurate access control lists.

Have reports that review network traffic correlated with the firewall policy to ensure appropriate rules are used to protect the company.

Have reports that monitor all changes to the production environment and compare the changes to documented approvals utilizing alerts and reports on policy modifications, groups activities, escalated privilege activities, permissions changed.

Ensure that only authorized software is permitted for use by employees using company IT assets.

Validate that application software and data storage systems are properly configured to provision access based on the individual’s demonstrated need to view, add, change or delete data.

To satisfy this control objective, administrators must review all changes to the production environment and compare the changes to documented approvals to ensure the approval process is followed. From the archived audit log data, obtain a sample of regular and emergency changes made to applications/systems to determine whether they were adequately tested and approved before being placed into a production environment. Trace the sample of changes back to the change request log and supporting documentation.

Administrators must set up formal change management procedures to handle in a standardized manner all requests (including maintenance and patches) for changes to applications, procedures, processes, system and service parameters, and the underlying platforms.

Configuration management ensures that security, availability, and processing integrity controls are set up in the system and maintained through its life cycle. Insufficient configuration controls can lead to security and availability exposures that may permit unauthorized access to systems and data and impact reporting.

Reports and Alerts


10.1.3 Segregation of Duties


Organizations must confirm that there is appropriate segregation of duties between the staff responsible for moving a program into production and the staff responsible for developing a program. In addition, organizations must consider whether or not a changes to a program is performed in a segregated and controlled environment.

To satisfy this control objective, administrators must ensure that logins to reporting servers as well as permissions assigned to these users are appropriate for the tasks they are allowed to perform. Users with overlapping permission sets should indicate a compromise in the segregation of duties control consideration. Administrators should also review the process to request and grant access to systems and data and confirm that the same person does not perform these functions.



Organizations must demonstrate that only authorized users have access to sensitive data and applications, and implement a division of roles and responsibilities that reduces the possibility for a single individual to subvert a critical process. Management also makes sure that personnel are performing only authorized duties relevant to their respective jobs and positions.

Reports and Alerts


10.1.4 Separation of Development, Test, and Operational Facilities


Administrators must identify all critical servers and applications have been properly isolated from the rest of the organization. The most prevalent method of isolating these functions is to use firewalls to protect the related servers and applications.

Administrators must identify all changes to firewall and router configurations and ensure that a formal process is in place for all changes, including management approval and testing for all changes to external network connections and the firewall configurations. Administrators must also ensure all changes are authorized and that rule sets are periodically reviewed.

The most efficient way to identify configuration changes is at the time of the modification. Administrators should setup alerts so that any changes to the configuration of network systems and devices, authorized or otherwise, are detected and notified. Administrators must periodically review all firewall rules to ensure an accurate access control list. Administrators must correlate network traffic with the firewall policy to validate that the appropriate rules are in place to protect the company.

In addition, no firewall in any company should allow the use of any known risky services or protocol. These known risky services provide intruders an easy way into the company. Administrators must identify all protocols and services that are considered risky to pass through the firewall. These risky services include, but not limit to, FTP (21/tcp), Telnet (23/tcp), Rlogin (513/tcp), Rsh (514/tcp), Netbios (137-139/tcp,udp), and others. Any risky protocols or services must be immediately removed from the firewall policies.

LogLogic reports and alerts augment processes and procedures to protect information assets from a larger organization by recording and reporting on the addition of new users from the larger organization on clearinghouse servers and systems and attempted access from other network segments.

Reports and Alerts




10.2.2 Monitoring and Review of Third Party Services


The process of defining and managing service levels addresses how an organization meets the functional and operational expectations of its users and, ultimately, the objectives of the business. Deficiencies in this area could significantly impact reporting and disclosure of an entity. For example, if systems are poorly managed or system functionality is not delivered as required, information may not be processed as intended.

To satisfy this control objective, administrators must configure alerts to ensure all critical application failures, including firewalls, routers, switches, servers, and applications, are notified immediately. Alerts must be reviewed periodically. In addition, administrators must perform independent reviews on the security, availability, and processing integrity of third-party service providers by continuously monitoring the service level agreements through adequate logging and reporting.

The LogLogic Compliance Suite: ISO/IEC 27002 Edition can continuously monitor the availability of the IT infrastructure using behavioral-based alerts. Administrators can configure alerts to monitor performance of firewalls, routers, switches, servers, applications, and operating systems so they can be notified immediately if of failures. Real-time reports and custom, regular-expression searches also enable administrators to quickly identify and determine the root cause of any problems. This further mitigates risk and minimizes interruptions to service availability.

Reports and Alerts


10.3.1 Capacity Management


Continuously monitoring the performance and capacity of IT resources serves two purposes:

To maintain and tune current performance within IT and address such issues as resilience, contingency, current and projected workloads, storage plans and resource acquisition.

To report delivered service availability to the business as required by the SLAs. Accompany all exception reports with recommendations for corrective action.

Administrators must configure proper alerts to monitor any anomalies related to system availability, capacity and performance. The LogLogic Compliance Suite: ISO/IEC 27002 Edition can be configured to continuously monitor the availability of the IT infrastructure using behavioral-based alerts. Administrators can configure alerts to monitor performance of firewalls, routers, switches, servers, applications, and operating systems so they can be notified immediately if of failures.

Real-time reports and custom, regular-expression searches also enable administrators to quickly identify and determine the root cause of any problems. This further mitigates risk and minimizes interruptions to service availability.



Reports and Alerts


10.4.1 Controls Against Malicious Code

Reports and Alerts


10.4.2 Controls Against Mobile Code


Malicious code refers to a broad category of software threats to your network and systems. Perhaps the most sophisticated types of threats to computer systems are presented by malicious codes that exploit vulnerabilities in computer systems. Any code which modifies or destroys data, steals data, allows unauthorized access, exploits or damage a system, and does something that user did not intend to do, is called malicious code. In many security incidents, malicious code is delivered through the use or download of mobile code.

Activity logs can help determine if the controls implemented are adequate and working appropriately. Activity logs can also provide important early-warning detection of new threats unknown to existing software vendors and data that can be used to diagnose and plan responses to new threats.

Use network intrusion detection systems, host-based intrusion detection systems, and/or intrusion prevention systems to monitor all network traffic and alert personnel to suspected compromises. Keep all intrusion detection and prevention engines up to date.

To satisfy this requirement, administrators must periodically review IDS logs to ensure the IDS tools are fully utilized. Administrators must also review denied firewall traffic logs periodically to determine whether programs are trying to access the network on unauthorized network ports.

Reports and Alerts




10.5.1 Information Backup


Organizations must develop a framework for IT continuity to support enterprise-wide business continuity management with a consistent process. The objective of the framework is to assist in determining the required resilience of the infrastructure and to drive the development of disaster recovery and IT contingency plans. The framework should address the organizational structure for continuity management, covering the roles, tasks and responsibilities of internal and external service providers, their management and their customers, and the rules and structures to document, test and execute the disaster recovery and IT contingency plans. The plan should also address items such as the identification of critical resources, the monitoring and reporting of the availability of critical resources, alternative processing, and the principles of backup and recovery.

Organizations must have procedures in place to back up data and programs based on IT and user requirements. Organizations should define and implement procedures for backup and restoration of systems, data and documentation in line with business requirements and the continuity plan. Verify compliance with the backup procedures, and verify the ability to and time required for successful and complete restoration. Test backup media and the restoration process.

To satisfy this control, administrators must:

Define and implement procedures for backup and restoration of systems, data and documentation in line with business requirements and the continuity plan

Verify compliance with the backup procedures

Verify the ability to and time required for successful and complete restoration

Test backup media and the restoration process

Review backup logs periodically to ensure backups are performed successfully

Store backups in a remote location, at a sufficient distance to escape any damage from a disaster at the main site

Protect backups by means of encryption where confidentiality of information is important

Administrators must test the IT continuity plan on a regular basis to ensure that IT systems can be effectively recovered, shortcomings are addressed and the plan remains relevant. This requires careful preparation, documentation, reporting test results and, according to the results, implementing an action plan. Consider the extent of testing recovery of single applications to integrated testing scenarios to end-to-end testing and integrated vendor testing. In addition, administrators must review backup logs periodically to ensure backups are performed successfully.

LogLogic directly supports this Control since LogLogic reports and alerts are capable of extracting system records that validate when and if a backup was performed and if the backup is an exact copy of the original. LogLogic can monitor systems to ensure that data backups are successfully accomplished on time and so that data restores are possible. They can also monitor and alert on when a data restore is completed successfully or unsuccessfully so that the integrity of backup data is retained in the event of a need to exercise a disaster recovery plan.



Reports and Alerts


10.6.1 Network Controls

Reports and Alerts


10.6.2 Security of Network Services


Administrators must identify all changes to firewall and router configurations and ensure that all changes are authorized. The most efficient way to identify configuration changes is at the time of the modification. Administrators should setup alerts so that any changes to the configuration, authorized or otherwise, are detected and notified.

Administrators must identify all protocols passed through the firewall besides HTTP (generally port 80/tcp), SSL (generally port 443/tcp) and SSH (generally port 22/tcp). Once identified, administrators must review the exception list and document any justification related to the allowance of these protocols.

If non-standard ports are used with these three protocols, the justification for the non-standard ports must also be documented. If necessary, administrators should identify the timeframe in which these protocols should be allowed, and promptly remove them from the configuration after the time is up.

Administrators should setup network policy alerts to detect any unauthorized traffic passing through the firewalls. No firewall in any company should allow the use of any known risky services or protocol. These known risky services provide intruders an easy way into the company. Administrators must identify all protocols and services that are considered risky to pass through the firewall. These risky services include, but not limit to, FTP (21/tcp), Telnet (23/tcp), Rlogin (513/tcp), Rsh (514/tcp), Netbios (137-139/tcp,udp), and others. Any risky protocols or services must be immediately removed from the firewall policies.

In addition, vulnerabilities are continually being discovered by hackers/researchers and introduced by new software. Systems, processes, and custom software should be tested frequently to ensure security is maintained over time and through changes. Administrators must periodically review IDS logs to ensure the IDS tools are fully utilized.

Reports and Alerts




10.8.4 Electronic Messaging


Electronic messaging such as email is a critical method of communication between businesses and their customers, vendors and employees. Email is no longer an optional component but an essential part of any business process.

In order to facilitate monitoring and auditing of business transactions, audit trails must be maintained for all electronic messaging such as email. Administrators must ensure that the electronic messaging is protected from interception, copying, modification, misrouting, and destruction. Organizations must also ensure that there effective policies or guidelines outlining acceptable use of electronic communication facilities

In addition, business correspondence, including email trails, is maintained, communicated, and disposed in accordance with relevant national and local legislation and regulations.

Reports and Alerts


10.10.1 Audit Logging

Reports and Alerts


10.10.2 Monitoring System Use


Monitoring system use requires organizations to accurately managing user access rights. It addresses the issues of unintended or malicious modifications of information assets. Deficiencies in this area may allow unauthorized modifications that could lead to errors in reporting.

User access rights to systems and data should be in line with defined and documented business needs and job requirements. Organizations must monitor and verify that all user access to programs and data, and review this access to ensure that all access privileges are properly assigned and approved. In addition, all logins to network devices, operating systems/platforms, databases and applications must be reviewed to ensure only authorized and appropriate personnel have access.

To satisfy this control objective, administrators must periodically review the user access to files and programs to ensure the users have not accessed items outside of their role. Administrators should select a sample of users who have logged in to reporting servers and review their access for appropriateness based upon their job functions. Administrators should also set up real-time alerts to detect any unauthorized or unapproved changes to users or groups. Monitor account management activities such as user or group addition/deletion/modification to ensure all user access privileges are appropriate and approved.



Reports and Alerts


10.10.3 Protection of Log Information


Audit trails maintain a record of system activity both by system and application processes and by user activity of systems and applications. In conjunction with appropriate tools and procedures, audit trails can assist in detecting security violations, performance problems, and flaws in applications. The auditor can obtain valuable information about activity on a computer system from the audit trail. Audit trails improve the auditability of the computer system.

Organizations must maintain a complete and accurate audit trail for network devices, servers and applications. This enables organizations to address how businesses identify root causes of issues that may introduce inaccuracy in reporting. Also, problem management system must provide for adequate audit trail facilities that allow tracing from incident to underlying cause.

IT security administration must monitor and log security activity, and identify security violations to report to senior management. This control directly addresses the Control for audit controls over information systems and networks.

To satisfy this control objective, administrators must ensure all network devices, servers, and applications are properly configured to log to a centralized server. In addition, administrators must ensure that logs are transmitted securely and reliably over the network. Ensure the log management solution provides capabilities such as encrypted TCP connections for log transport.

LogLogic’s Log Management and Intelligence solution will automatically record the event date and time, event status (success or failure), event origin (log source IP address) and event type (firewall connection, access or authentication, IDS, E-Mail, or web access) for every single event. LogLogic will then identify all users, system components or resources within the events to help administrator correctly analyze the events. Finally, all log data are protected by LogLogic’s granular permission-based authorization system as well as digital hash of all the log data.

Reports and Alerts


10.10.4 Administrative and Operator Logs


All users (internal, external and temporary) and their activity on IT systems (business application, system operation, development and maintenance) should be uniquely identifiable. Administrators and root users should never directly access system components, as these accounts are generally shared and difficult to track back to a specific individual. Instead, these users should be accessing these components using commands such as sudo or su; or in the Window environment, be assigned to a administrative group. This setup allows individuals’ actions to be tracked.



To satisfy this requirement, administrators must ensure all logins are not shared. Administrators must review the ID list to identify IDs that may be a generic ID and question who is using it and why it is there.

Reports and Alerts


10.10.5 Fault Logging


The problem management system should provide for adequate audit trail facilities that allow tracking, analyzing, and determining the root cause of all reported problems considering:

All associated configuration items

Outstanding problems and incidents

Known and suspected errors

Managing problems and incidents addresses how an organization identifies documents and responds to events that fall outside of normal operations. You must maintain a complete and accurate audit trail for network devices, servers and applications, This enables you to address how your business identify root causes of issues that may introduce inaccuracy in reporting. Also, your problem management system must provide for adequate audit trail facilities that allow tracing from incident to underlying cause.

By alerting on any failures that occur, administrators can respond rapidly to potential problems and incidents that might affect availability, security, or performance. Real-time data monitoring and reporting capabilities reduce time to repair after incidents, reducing costs, and improving application availability.

To satisfy this control objective, administrators must ensure all reporting related network devices, servers, and applications are properly configured to log to a centralized server. Administrators must also periodically review logging status to ensure these devices, servers and applications are logging correctly.

System event data must be sufficiently retained to provide chronological information and logs to enable the review, examination and reconstruction of system and data processing. System event data can also be used to provide reasonable assurance as to the completeness and timeliness of system and data processing.

Reports and Alerts


10.10.6 Clock Synchronization


As the global marketplace has grown more reliant on the Internet and network computing, the importance of Network Time Protocol, or NTP, has grown as well. The Network Time Protocol (NTP) is widely used in the Internet to synchronize computer clocks to national standard time.



Without adequate NTP synchronization, organizations cannot expect their network and applications to function properly. Log files are of no use in the event of a network security breach or other incident that requires log-dependent information. Web servers, mail servers, and other devices that use log files, cron jobs, and similar tasks must be timed accurately with precision to within 1/100 of a second.

In this digital age of instantaneous communication and sales transactions, a failed corporate network can quickly lead to loss of credibility with customers and loss of profitability.

To satisfy this control, administrators must ensure that all servers and devices on the IT infrastructure are configured to use NTP for clock synchronization.

Reports and Alerts



ISO/IEC 27002 Controls : Section 11 - Access Control

Section 11 - Access Control11.2.1 User Registration on page 28

11.2.2 Privilege Management on page 28

11.2.3 User Password Management on page 29

11.2.4 Review of User Access Rights on page 29

11.3.1 Password Use on page 30

11.4.1 Policy on Use of Networked Services on page 30

11.4.2 User Authentication for External Connections on page 31

11.4.4 Remote Diagnostic and Configuration Port Protection on page 31

11.4.7 Network Routing Control on page 32

11.5.1 Secure Log-on Procedures on page 32

11.5.2 User Identification and Authentication on page 33

11.5.3 Password Management System on page 33

11.5.4 Use of System Utilities on page 33

11.6.1 Information Access Restriction on page 34

11.6.2 Sensitive System Isolation on page 34

11.2.1 User Registration

All users (internal, external and temporary) and their activity on IT systems (business application, system operation, development and maintenance) should be uniquely identifiable. Ensuring all users have uniquely identifiable IDs ensures that accurate and complete audit trails can be maintained. Deficiencies in this area can significantly impact accountability. For example, users logging in using shared IDs can modify files and documents. This can prevent future audits to identify who has modified the data.

To satisfy this requirement, administrators must ensure all logins are not shared. Administrators must review the ID list to identify IDs that may be a generic ID and question who is using it and why it is there.

Administrators can review the time and sources of the logins to determine whether they overlap. If the time overlap and sources are different, that should indicate a shared (or generic) ID. Administrators must also validate that attempts to gain unauthorized access to reporting systems and subsystems are logged and are followed up on a timely basis.

Reports and Alerts


11.2.2 Privilege Management

User access rights to systems and data should be in line with defined and documented business needs and job requirements. Accurately managing user access rights addresses the issues of unintended or malicious modifications of information assets. Deficiencies in this area may allow unauthorized modifications that could lead to errors in reporting.



Administrators must determine that the following requirements are met:

Access rights for privileged User IDs are restricted to least privileges necessary to perform the job.

Assignment of privileges to individuals is based on job classification and function.

Requirement for an authorization form that is signed by management and specifies required privileges.

An automated access control system is being used.

To satisfy this control objective, administrators must monitor and verify that all user access to programs and data, and periodically review the user access to files and programs to ensure the users have not accessed items outside of their role. Administrators should select a sample of users who have logged in to reporting servers and review their access for appropriateness based upon their job functions. As part of the procedures for the authorization and supervision of workforce members who work with information assets, LogLogic access reports and alerts should be used to validate that the access has been configured correctly and appropriate access is maintained.

Reports and Alerts


11.2.3 User Password Management

Reports and Alerts


11.2.4 Review of User Access Rights

Set up real-time alerts to detect any unauthorized or unapproved changes to users or groups. Monitor account management activities such as user or group addition/deletion/modification to ensure all user access privileges are appropriate and approved.

Requesting, establishing, issuing, suspending, modifying and closing user accounts and related user privileges are addressed by user account management. An approval procedure requiring the data or system owner to grant access privileges to new and existing users should be included. These procedures apply to all users, including administrators (privileged users), internal and external users, in both normal and emergency situations. Rights and obligations relative to access to enterprise systems and information are contractually arranged for all types of users.

Perform regular management review of all accounts and related privileges. Demonstrate that procedures exist for the registration, change, and deletion of users from information systems and subsystems on a timely basis and confirm that the procedures are followed. Procedures must exist and be followed to ensure timely action relating to requesting, establishing, issuing, suspending, and closing user accounts.

To satisfy this requirement, administrators must ensure that permissions have been granted to the appropriate users, and to ensure that all network and application access requests are adequately documented and approved by appropriate Management personnel. As proof, administrators can select a sample of terminated employees and to ensure the accounts for these employees have been terminated in a timely manner.



Administrators must review reports that detail the access policy on all servers and applications. They must be configured to ensure password policies are enforced and access activity recorded. Server and application logs must be reviewed to ensure passwords are changed periodically and in accordance with corporate policy.

LogLogic reports augment processes and procedures for granting access by allowing the validation of new users, elevated privileges on network devices and systems that provide access to information assets. The addition or modification of accounts captured by the LogLogic Compliance Suite provides specific information regarding who’s been given access to information assets while account activities can be monitored to ensure that access has been implemented appropriately. Special access through VPNs, the Internet, and other subnets can also validate that remote access privileges are implemented as desired.

Reports and Alerts


11.3.1 Password Use

Reports and Alerts


11.4.1 Policy on Use of Networked Services

Administrators must identify all critical servers and applications have been properly isolated from the rest of the organization. The most prevalent method of isolating these functions is to use firewalls to protect the related servers and applications.

Administrators must identify all changes to firewall and router configurations and ensure that a formal process is in place for all changes, including management approval and testing for all changes to external network connections and the firewall configurations. Administrators must also ensure all changes are authorized and that rule sets are periodically reviewed.


In addition, no firewall in any company should allow the use of any known risky services or protocol. These known risky services provide intruders an easy way into the company. Administrators must identify all protocols and services that are considered risky to pass through the firewall. These risky services include, but not limit to, FTP (21/tcp), Telnet (23/tcp), Rlogin (513/tcp), Rsh (514/tcp), Netbios (137-139/tcp,udp), and others.

Any risky protocols or services must be immediately removed from the firewall policies. LogLogic reports and alerts augment processes and procedures to protect information assets from a larger organization by recording and reporting on the addition of new users from the larger organization on clearinghouse servers and systems and attempted access from other network segments.



Reports and Alerts


11.4.2 User Authentication for External Connections


Administrators should assess the authentication mechanisms used to validate user credentials (new and existing) for critical systems to support the validity of transactions. Server and application activities must be monitored for locked-out and enabled accounts as they can represent malicious activities.

In general, auditors will validate the technical standards used (e.g. two-factor authentication with one-time passwords) and the Know Your Customer policies that the organization uses prior to issuing appropriate tokens. However, log files can be used to validate that the systems implemented are working effectively.

To satisfy this control objective, administrators must review the time and sources of the external logins to determine whether they are authenticated and authorized.

Reports and Alerts


11.4.4 Remote Diagnostic and Configuration Port Protection


Remote diagnostics and configuration are most often performed during emergency situations. Vendors may require organizations to provide additional access in order to perform remote diagnostics. It is inevitable that accounts must be created for emergency mode access. These accounts may be required for vendors so they can perform remote troubleshooting as well as maintenance of the equipment in the IT infrastructure. Great care must be taken to ensure that these vendors will only have access during maintenance hours and when personnel are available to monitor the process.

Administrators must identify all access to ensure vendors are only logging in during maintenance hours. Administrators must also review access to the IT infrastructure to ensure no access is performed during unauthorized hours. In addition, Administrators must establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of information assets while operating in emergency mode.

Reports and Alerts




11.4.7 Network Routing Control


Administrators must identify all critical servers and applications have been properly isolated from the rest of the organization. The most prevalent method of isolating these functions is to use firewalls to protect the related servers and applications. Administrators must identify all changes to firewall and router configurations and ensure that a formal process is in place for all changes, including management approval and testing for all changes to external network connections and the firewall configurations. Administrators must also ensure all changes are authorized and that rule sets are periodically reviewed.

The most efficient way to identify configuration changes is at the time of the modification. Administrators should setup alerts so that any changes to the configuration of network systems and devices, authorized or otherwise, are detected and notified. Administrators must periodically review all firewall rules and routing table changes to ensure an accurate access control list. Administrators must correlate network traffic with the firewall policy to validate that the appropriate rules are in place to protect the company.



Reports and Alerts


11.5.1 Secure Log-on Procedures


Encrypt all non-console administrative access. Use technologies such as SSH, VPN, or SSL/TLS for web-based management and other non-console administrative access. All remote management connections must be encrypted to avoid any opportunity for intruders to gain access to the IT infrastructure. In order to do so, technologies such as SSH (generally port 22/tcp), SSL (generally port 443/tcp) and VPN (SSL or IPsec) must be used.

If non-standard ports are used with these protocols, the justification for the non-standard ports must also be documented. Administrators must review all traffics that are not SSH, SSL or VPN to ensure they are necessary, approved and documented. Administrators should setup network policy alerts to detect any unauthorized traffic passing through the firewalls.

Reports and Alerts




11.5.2 User Identification and Authentication


All users (internal, external and temporary) and their activity on IT systems (business application, system operation, development and maintenance) should be uniquely identifiable. Ensuring all users have uniquely identifiable IDs ensures that accurate and complete audit trails can be maintained. Deficiencies in this area can significantly impact accountability. For example, users logging in using shared IDs can modify information assets. This can prevent future audits to identify who has modified the data.

To satisfy this requirement, administrators must ensure all logins are assign a unique name and/or number for identifying and tracking user identity. Administrators must review the ID list to identify IDs that may be a generic ID and question who is using it and why it is there. Administrators can review the time and sources of the logins to determine whether they overlap. If the time overlap and sources are different, that should indicate a shared (or generic) ID. Administrators must also validate that attempts to gain unauthorized access to reporting systems and subsystems are logged and are followed up on a timely basis.

Reports and Alerts


11.5.3 Password Management System

Frequently changing user passwords is a good general security practice that ensures intruders cannot enter into the IT infrastructure. It’s generally recommended that passwords must be changed every 30 to 90 days. Administrators must identify and review all password change events to ensure users are changing passwords at least every 90 days. For example, Windows platforms generate events with the ID of 627 and 628 for password change attempts.

Reports and Alerts


11.5.4 Use of System Utilities


Auditors will seek to validate that system utilities on desktops and servers are either removed or have access restricted to authorized users. LogLogic Compliance Suite: ISO/IEC 27002 Edition reports and alerts can be used to validate compliance with an organization’s policy.

Reports and Alerts




11.6.1 Information Access Restriction

Illustrative Controls and Tests

User access rights to systems and data should be in line with defined and documented business needs and job requirements. Accurately managing user access rights addresses the issues of unintended or malicious modifications of data. Deficiencies in this area may allow unauthorized modifications that could lead to errors in reporting.

To satisfy this control objective, administrators must periodically review the user access to files and programs to ensure the users have not accessed items outside of their role. Administrators should select a sample of users who have logged in to reporting servers and review their access for appropriateness based upon their job functions. Administrators must monitor and verify that all user access to programs and data. Review this access to ensure there is segregation of duties as well as all access privileges are properly assigned and approved.

Reports and Alerts


11.6.2 Sensitive System Isolation


Administrators must identify all critical servers and applications have been properly isolated from the rest of the organization. The most prevalent method of isolating these functions is to use firewalls to protect the related servers and applications. Administrators must identify all changes to firewall and router configurations and ensure that a formal process is in place for all changes, including management approval and testing for all changes to external network connections and the firewall configurations. Administrators must also ensure all changes are authorized and that rule sets are periodically reviewed.




Reports and Alerts



ISO/IEC 27002 Controls : Section 12 - Information Systems Acquisition, Development and Maintenance

Section 12 - Information Systems Acquisition, Development and Maintenance

12.4.1 Control of Operational Software on page 35

12.4.3 Access Control to Program Source Code on page 35

12.5.1 Change Control Procedures on page 35

12.5.2 Technical Review of Applications After Operating System Changes on page 35

12.5.3 Restrictions on Changes to Software Packages on page 36

12.6.1 Control of Technical Vulnerabilities on page 36

12.4.1 Control of Operational Software

Reports and Alerts


12.4.3 Access Control to Program Source Code


Organizations must confirm that there is appropriate segregation of duties between the staff responsible for moving a program into production and the staff responsible for developing a program. In addition, organizations must consider whether or not changes are performed in a segregated and controlled environment.

To satisfy this requirement, administrators must ensure that logins to source code repositories as well as permissions assigned to these users are appropriate for the tasks they are allowed to perform. Users with overlapping permission sets should indicate a compromise in the segregation of duties control consideration. Administrators should also review the process to request and grant access to systems and data and confirm that the same person does not perform these functions.

Reports and Alerts


12.5.1 Change Control Procedures

Reports and Alerts


12.5.2 Technical Review of Applications After Operating System Changes

Reports and Alerts



ISO/IEC 27002 Controls : Section 12 - Information Systems Acquisition, Development and Maintenance

12.5.3 Restrictions on Changes to Software Packages


Managing changes addresses how an organization modifies system functionality to help the business meet its ISO requirements. Deficiencies in this area may significantly impact reporting. For example, changes to the programs that allocate payment data require appropriate approvals and testing prior to the change to ensure classification and reporting integrity. Businesses must ensure that requests for program changes, system changes, and maintenance (including changes to system software) are standardized, documented, and subject to formal change management procedures.

To satisfy this requirement, administrators must review all changes to the production environment and compare the changes to documented approvals to ensure the approval process is followed. From the archived audit log data, obtain a sample of regular and emergency changes made to applications/systems to determine whether they were adequately tested and approved before being placed into a production environment. Trace the sample of changes back to the change request log and supporting documentation.

Reports and Alerts


12.6.1 Control of Technical Vulnerabilities


Vulnerabilities are continually being discovered by hackers/researchers and introduced by new software. Systems, processes, and custom software should be tested frequently to ensure security is maintained over time and through changes. Use network intrusion detection systems, host-based intrusion detection systems, and/or intrusion prevention systems to monitor all network traffic and alert personnel to suspected compromises. Keep all intrusion detection and prevention engines up to date. Ensure that security techniques and related management procedures are used to authorize access and control information flows from and to networks such as Intrusion Detection.

To satisfy this requirement, administrators must periodically review IDS logs to ensure the IDS tools are fully utilized. Administrators must review all remote access to the IT infrastructure via VPN or through firewalls. Detect any anomalies such as Anomalous IDS Alerts or firewall traffic using behavioral-based alerts.

Reports and Alerts



ISO/IEC 27002 Controls : Section 13 - Information Security Incident Management

Section 13 - Information Security Incident Management13.1.1 Reporting Information Security Events on page 37

13.1.2 Reporting Security Weaknesses on page 37

13.2.3 Collection of Evidence on page 38

13.1.1 Reporting Information Security Events

Reports and Alerts


13.1.2 Reporting Security Weaknesses

Ensure that security techniques and related management procedures are used to authorize access and control information flows from and to networks such as Intrusion Detection. The security incident management system should provide for adequate audit trail facilities that allow tracking, analyzing, and determining the root cause of all reported problems considering:

All associated configuration items

Outstanding problems and incidents

Known and suspected errors

Managing problems and incidents addresses how an organization identifies documents and responds to events that fall outside of normal operations. You must maintain a complete and accurate audit trail for network devices, servers and applications. This enables you to address how your business identifies root causes of issues that may introduce inaccuracy in reporting. Also, your problem management system must provide for adequate audit trail facilities that allow tracing from incident to underlying cause.

To satisfy this requirement, administrators must periodically review IDS logs to ensure the IDS tools are fully utilized. In addition, administrators must ensure all network devices, servers, and applications are properly configured to log to a centralized server. Administrators must also periodically review logging status to ensure these devices, servers and applications are logging correctly. By alerting on any failures that occur, administrators can respond rapidly to potential problems and incidents that might affect availability, security, or performance. Real-time data monitoring and reporting capabilities reduce time to repair after incidents, reducing costs, and improving application availability.

Reports and Alerts



ISO/IEC 27002 Controls : Section 13 - Information Security Incident Management

13.2.3 Collection of Evidence

Managing problems and incidents addresses how an organization identifies documents and responds to events that fall outside of normal operations. Organizations must maintain a complete and accurate audit trail for network devices, servers and applications, This enables organizations to address how business identify root causes of issues that may introduce inaccuracy in reporting. Also, problem management system must provide for adequate audit trail facilities that allow tracing from incident to underlying cause.

Monitor any account management activities such as user or group addition/deletion/modification to ensure all user access privileges are appropriate and approved. Set up real-time alerts to detect any unauthorized or unapproved changes to users or groups. Audit trails related to user creation and deletion of system-level objects, for example, a file, folder, registry key, printer, and others, are critical in the troubleshooting and forensic analysis processes.

To satisfy this control objective, administrators must ensure all network devices, servers, and applications are properly configured to log to a centralized server. Administrators must also periodically review logging status to ensure these devices, servers and applications are logging correctly.

Record at least the following audit trail entries for each event, for all system components:

Use of identification and authentication mechanisms

Creation and deletion of system-level objects.

Record at least the following audit trail entries for each event, for all system components:

User identification

Type of event

Date and time

Success or failure indication

Origination of event

Identity or name of affected data, system component, or resource

Retain your audit trail history for a period that is consistent with its effective use, as well as legal regulations.

Reports and Alerts



ISO/IEC 27002 Controls : Section 15 - Compliance

Section 15 - Compliance15.2.2 Technical Compliance Checking on page 39

15.3.1 Information Systems Audit Controls on page 39

15.3.2 Protection of Information System Audit Tools on page 40

15.2.2 Technical Compliance Checking

Reports and Alerts


15.3.1 Information Systems Audit Controls


Audit trails maintain a record of system activity both by system and application processes and by user activity of systems and applications. In conjunction with appropriate tools and procedures, audit trails can assist in detecting security violations, performance problems, and flaws in applications. The auditor can obtain valuable information about activity on a computer system from the audit trail. Audit trails improve the auditability of the computer system.

Organizations must maintain a complete and accurate audit trail for network devices, servers and applications. This enables organizations to address how businesses identify root causes of issues that may introduce inaccuracy in reporting. Also, problem management system must provide for adequate audit trail facilities that allow tracing from incident to underlying cause. IT security administration must monitor and log security activity, and identify security violations to report to senior management. This control directly addresses the Control for audit controls over information systems and networks.

To satisfy this control objective, administrators must ensure all network devices, servers, and applications are properly configured to log to a centralized server. Administrators must also periodically review logging status to ensure these devices, servers and applications are logging correctly.

LogLogic’s Log Management and Intelligence solution will automatically record the event date and time, event status (success or failure), event origin (log source IP address) and event type (firewall connection, access or authentication, IDS, E-Mail, or web access) for every single event. In addition, LogLogic’s solution will identify all users, system components or resources within the events to help administrator correctly analyze the events.

Reports and Alerts



ISO/IEC 27002 Controls : Section 15 - Compliance

15.3.2 Protection of Information System Audit Tools


A logging and monitoring function enables the early detection of unusual or abnormal activities that may need to be addressed. Administrators must ensure that IT security implementation is tested and monitored proactively. IT security should be reaccredited periodically to ensure the approved security level is maintained.

Access to the logging information is in line with business requirements in terms of access rights and retention requirements. IT security administration must monitor and log security activity, and identify security violations to report to senior management. This control directly addresses the issues of timely detection and correction of data modification.

To satisfy this requirement, administrators must review the user access logs on a regular basis on a weekly basis for any access violations or unusual activity. Administrators must periodically, such as daily or weekly, review reports that show user access to servers related to the ISO process. Review of these reports must be shown to auditors to satisfy this requirement.

In addition, administrators must ensure that all relevant log sources are logging properly to a centralized log management system. LogLogic’s solution is developed from ground up to be a regulatory compliance solution. All log messages, once received by the appliances, will be transferred via TCP to ensure reliability. All log files stored on the ST appliances have a separate MD5 signature, stored away from the file, to ensure no files are tempered with.

Reports and Alerts



CHAPTER 3:

LogLogic Reports and Alerts for ISO/IEC 27002

This chapter provides a detailed listing of all ISO/IEC 27002 standard requirements with their corresponding LogLogic compliance suite reports and/or alerts.

LogLogic Reports for ISO/IEC 27002 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

LogLogic Alerts for ISO/IEC 27002. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

LogLogic Reports and Alerts Quick Reference. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

LogLogic Reports for ISO/IEC 27002The following table lists the reports included in the LogLogic Compliance Suite: ISO/IEC 27002 Edition.

# LogLogic Report Description

1 ISO: Accepted VPN Connections - RADIUS Displays all users connected to the internal network through the RADIUS VPN.

2 ISO: Active Directory System Changes Changes made within Active Directory.

3 ISO: Administrators Activities on Servers Displays the latest activities performed by administrators and root users to ensure appropriate access.

4 ISO: Check Point Configuration Changes Displays all configuration changes to Check Point devices.

5 ISO: Check Point Management Station Login

Display all login events to the Check Point management station.

6 ISO: Check Point Object Activity Displays all creation, deletion, and modification of Check Point objects.

7 ISO: Cisco Line Protocol Status Changes Displays all Cisco line protocol up and down events.

8 ISO: Cisco Link Status Changes Displays all Cisco link up and down events.

9 ISO: Cisco Peer Reset/Reload Displays all Cisco Peer reset and reload events.

10 ISO: Cisco Peer Supervisor Status Changes Displays all Cisco Peer Supervisor status changes.

11 ISO: Cisco PIX, ASA, FWSM Failover Disabled

Displays all logs related to disabling Cisco PIX, ASA, and FWSM failover capability.

12 ISO: Cisco PIX, ASA, FWSM Failover Performed

Displays all logs related to performing a Cisco PIX, ASA, and FWSM failover.

13 ISO: Cisco PIX, ASA, FWSM Policy Changed

Displays all configuration changes made to the Cisco PIX, ASA, FWSM firewall.

14 ISO: Cisco PIX, ASA, FWSM Restarted Displays all Cisco PIX, ASA, and FWSM restart activities to detect unusual activities.

15 ISO: Cisco PIX, ASA, FWSM Routing Failure

Displays all Cisco PIX, ASA, FWSM Routing Failure events.

16 ISO: Cisco Redundancy Version Check Failed

Displays all Cisco redundancy version check failures.

17 ISO: Cisco Switch Policy Changes Displays all configuration changes to the Cisco router and switch policies.


LogLogic Reports and Alerts for ISO/IEC 27002 : LogLogic Reports for ISO/IEC 27002

18 ISO: Cisco System Restarted Displays all Cisco System restart events.

19 ISO: CVS Source Code Repository Failed Access

Displays all failed logins to the CVS source code repository.

20 ISO: CVS Source Code Repository Successful Access

Displays all successful logins to the CVS source code repository.

21 ISO: DB2 Database Failed Logins Displays all failed login attempts to review any access violations or unusual activity.

22 ISO: DB2 Database Logins Displays DB2 database logins.

23 ISO: Denied VPN Connections - RADIUS Displays all users denied access to the internal network by the RADIUS VPN.

24 ISO: Email Domains Experiencing Delay - Exchange 2000/2003

Displays the recipient domains that have experienced the most delivery delays.

25 ISO: Email Domains Sending the Most Email - Exchange 2000/2003

Displays the top domains sending email.

26 ISO: Email Recipients Receiving the Most Emails - Exchange 2000/2003

Displays the email recipients who receiving the most emails by count.

27 ISO: Email Recipients Receiving the Most Emails by Count - Exchange 2007

Displays the email recipients who receiving the most emails by count.

28 ISO: Email Sender and Recipients Exchanging the Most Emails - Exchange 2000/2003

Displays the top email sender and recipient combinations.

29 ISO: Email Sender and Recipients Exchanging the Most Emails - Exchange 2007

Displays the top email sender and recipient combinations.

30 ISO: Email Senders Sending the Most Email - Exchange 2000/2003

Displays the email senders who sent the most emails by count.

31 ISO: Email Senders Sending the Most Emails by Count - Exchange 2007

Displays the email senders who sent the most emails by count.

32 ISO: Email Source IP Sending To Most Recipients - Exchange 2000/2003

Displays IP addresses that are sending to the most recipients.

33 ISO: Email Source IP Sending To Most Recipients - Pop/IMAP

Displays IP addresses that are sending to the most recipients using Exchange 2007 Pop/IMAP.

34 ISO: Escalated Privilege Activities on Servers

Displays all privilege escalation activities performed on servers to ensure appropriate access.

35 ISO: ESX Account Activities Displays all accounts activities on VMWare ESX servers to ensure authorized and appropriate access.

36 ISO: ESX Accounts Created Displays all accounts created on VMWare ESX servers to ensure authorized and appropriate access.

37 ISO: ESX Accounts Deleted Displays all accounts deleted on VMWare ESX servers to ensure authorized and appropriate access.

38 ISO: ESX Failed Logins Failed VMWare ESX logins for known user.

39 ISO: ESX Group Activities Displays all group activities on VMWare servers to ensure authorized and appropriate access.

40 ISO: ESX Kernel log daemon terminating Displays all VMWare ESX Kernel log daemon terminating.

41 ISO: ESX Kernel logging Stop Displays all VMWare ESX Kernel logging stops.

42 ISO: ESX Logins Failed Unknown User Failed VMWare ESX logins for unknown user.




43 ISO: ESX Logins Succeeded Displays successful logins to VMWare ESX to ensure only authorized personnel have access.

44 ISO: ESX Syslogd Restart Displays all VMWare ESX syslogd restarts.

45 ISO: Files Accessed on Servers Displays all files accessed on servers to ensure appropriate access.

46 ISO: Firewall Connections Accepted - Check Point

Displays all traffic passing through the Check Point firewall.

47 ISO: Firewall Connections Accepted - Cisco ASA

Displays all traffic passing through the Cisco ASA firewall.

48 ISO: Firewall Connections Accepted - Cisco FWSM

Displays all traffic passing through the Cisco FWSM firewall.

49 ISO: Firewall Connections Accepted - Cisco PIX

Displays all traffic passing through the Cisco PIX firewall.

50 ISO: Firewall Connections Accepted - Fortinet

Displays all traffic passing through the Fortinet firewall.

51 ISO: Firewall Connections Accepted - Juniper Firewall

Displays all traffic passing through the Juniper firewall.

52 ISO: Firewall Connections Accepted - Juniper RT Flow

Displays all traffic passing through the Juniper RT Flow.

53 ISO: Firewall Connections Accepted - Nortel

Displays all traffic passing through the Nortel firewall.

54 ISO: Firewall Connections By Applications - Check Point

Displays the most active applications used through the Check Point firewall.

55 ISO: Firewall Connections By Applications - Cisco ASA

Displays the most active applications used through the Cisco ASA firewall.

56 ISO: Firewall Connections By Applications - Cisco FWSM

Displays the most active applications used through the Cisco FWSM firewall.

57 ISO: Firewall Connections by Applications - Cisco PIX

Displays the most active applications used through the Cisco PIX firewall.

58 ISO: Firewall Connections By Applications - Fortinet

Displays the most active applications used through the Fortinet firewall.

59 ISO: Firewall Connections By Applications - Juniper Firewall

Displays the most active applications used through the Juniper Firewall.

60 ISO: Firewall Connections By Applications - Nortel

Displays the most active applications used through the Nortel firewall.

61 ISO: Firewall Connections Denied - Check Point

Displays the applications that have been denied access the most by the Check Point to review access violations.

62 ISO: Firewall Connections Denied - Cisco ASA

Displays the applications that have been denied access the most by the Cisco ASA to review access violations.

63 ISO: Firewall Connections Denied - Cisco FWSM

Displays the applications that have been denied access the most by the Cisco FWSM to review access violations.

64 ISO: Firewall Connections Denied - Cisco PIX

Displays the applications that have been denied access the most by the Cisco PIX to review access violations.

65 ISO: Firewall Connections Denied - Cisco Router

Displays the applications that have been denied access the most by the Cisco Router to review access violation.

66 ISO: Firewall Connections Denied - Fortinet Displays the applications that have been denied access the most by the Fortinet to review access violations.

67 ISO: Firewall Connections Denied - Juniper Firewall

Displays all inbound connections that have been denied by the Juniper firewalls.




68 ISO: Firewall Connections Denied - Juniper RT Flow

Displays all inbound connections that have been denied by the Juniper RT Flow.

69 ISO: Firewall Connections Denied - Nortel Displays all Nortel firewall connections denied.

70 ISO: Firewall Traffic Besides SSL and SSH - Check Point

Displays all traffic passing through the Check Point firewall that are not SSL and SSH.

71 ISO: Firewall Traffic Besides SSL and SSH - Cisco ASA

Displays all traffic passing through the Cisco ASA that are not SSL and SSH.

72 ISO: Firewall Traffic Besides SSL and SSH - Cisco FWSM

Displays all traffic passing through the Cisco FWSM that are not SSL and SSH.

73 ISO: Firewall Traffic Besides SSL and SSH - Cisco PIX

Displays all traffic passing through the Cisco PIX that are not SSL and SSH.

74 ISO: Firewall Traffic Besides SSL and SSH - Fortinet

Displays all traffic passing through the Fortinet that are not SSL and SSH.

75 ISO: Firewall Traffic Besides SSL and SSH - Juniper Firewall

Displays all traffic passing through the Juniper firewall that are not SSL and SSH.

76 ISO: Firewall Traffic Besides SSL and SSH - Juniper RT Flow

Displays all traffic passing through the Juniper RT Flow that are not SSL and SSH.

77 ISO: Firewall Traffic Besides SSL and SSH - Nortel

Displays all traffic passing through the Nortel that are not SSL and SSH.

78 ISO: Firewall Traffic Considered Risky - Check Point

Displays Check Point allowed firewall traffic that is considered risky.

79 ISO: Firewall Traffic Considered Risky - Cisco ASA

Displays Cisco ASA allowed firewall traffic that is considered risky.

80 ISO: Firewall Traffic Considered Risky - Cisco FWSM

Displays Cisco FWSM allowed firewall traffic that is considered risky.

81 ISO: Firewall Traffic Considered Risky - Cisco PIX

Displays all allowed Cisco PIX firewall traffic that are considered risky.

82 ISO: Firewall Traffic Considered Risky - Fortinet

Displays Fortinet allowed firewall traffic that is considered risky.

83 ISO: Firewall Traffic Considered Risky - Juniper Firewall

Displays Juniper Firewall allowed firewall traffic that is considered risky.

84 ISO: Firewall Traffic Considered Risky - Juniper RT Flow

Displays Juniper RT Flow allowed firewall traffic that is considered risky.

85 ISO: Firewall Traffic Considered Risky - Nortel

Displays Nortel allowed firewall traffic that is considered risky.

86 ISO: Guardium SQL Guard Audit Logins Displays all login attempts to the Guardium SQL Server Audit database.

87 ISO: Guardium SQL Guard Logins Displays all login attempts to the Guardium SQL Server database.

88 ISO: i5OS DST Password Reset Displays i5/OS events related to the reset of the DST (Dedicated Service Tools) password.

89 ISO: i5OS Files Accessed Lists all events when a user gains access an i5OS file.

90 ISO: i5OS Network User Login Failed Lists all events when a network user was denied access into the i5OS.

91 ISO: i5OS Network User Login Successful Lists all events when a network user successfully logs into the i5OS.

92 ISO: i5OS Network User Profile Creation Lists all events when a network user profile has been created.

93 ISO: i5OS Network User Profile Deletion Lists all events when a network user profile has been deleted.

94 ISO: i5OS Object Permissions Modified Displays all permission modification activities on i5OS to ensure authorized access.




95 ISO: i5OS Password Errors Displays i5/OS password error events, including invalid passwords and network password errors.

96 ISO: i5OS Restarted Lists all events when the i5OS has been restarted.

97 ISO: i5OS Service Started Lists all events when a user starts a service on the i5OS.

98 ISO: i5OS Software Updates Displays all successful events related to the system's software or patch update.

99 ISO: i5OS User Login Failed Lists all events when a user was denied access into the i5OS.

100 ISO: i5OS User Login Successful Lists all events when a user successfully logs into the i5OS.

101 ISO: i5OS User Profile Creation Lists all events when a user profile has been created.

102 ISO: IDS Attack Origins Displays the sources that have initiated the most attacks.

103 ISO: IDS Attacks by Applications Displays all applications under attack as well as the attack signatures.

104 ISO: IDS Attacks Detected Displays all IDS attacks detected to servers and applications.

105 ISO: Juniper Firewall HA State Changed Displays state change in the Juniper Firewall HA Policy.

106 ISO: Juniper Firewall Policy Changed Displays all configuration changes to the Juniper firewall policies.

107 ISO: Juniper Firewall Policy Out of Sync Displays events that indicate the Juniper Firewall’s HA policies are out of sync.

108 ISO: Juniper Firewall Reset Accepted Displays events that indicate the Juniper Firewall has been reset to its factory default state.

109 ISO: Juniper Firewall Reset Imminent Displays events that indicate the Juniper Firewall will be reset to its factory default state.

110 ISO: Juniper Firewall Restarted Displays all Juniper Firewall restart events.

111 ISO: Juniper SSL VPN (Secure Access) Successful Logins

Displays all successfull logins through the Juniper SSL VPN (Secure Access).

112 ISO: Juniper SSL VPN Successful Logins Displays all successfull logins through the Juniper SSL VPN.

113 ISO: Last Activities Performed by Administrators

Displays the latest activities performed by administrators and root users to ensure appropriate access.

114 ISO: Logins by Authentication Method Displays all logins categorized by the authentication type.

115 ISO: Logins Failed Displays all failed login attempts to review any access violations or unusual activity.

116 ISO: Logins Succeeded Displays successful logins to ensure only authorized personnel have access.

117 ISO: LogLogic Disk Full Displays events that indicate the LogLogic appliance’s disk is near full.

118 ISO: LogLogic DSM Logins Displays all login attempts to the LogLogic DSM database.

119 ISO: LogLogic File Retrieval Errors Displays all errors while retrieving log files from devices, servers and applications.

120 ISO: LogLogic HA State Changed Displays all LogLogic HA State Changed events.

121 ISO: LogLogic Message Routing Errors Displays all log forwarding errors on the LogLogic Appliance to ensure all logs are archived properly.

122 ISO: LogLogic NTP Service Stopped Displays events that indicate the NTP engine on the LogLogic appliance has stopped.

123 ISO: McAfee AntiVirus: Attacks by Event ID

McAfee AntiVirus Attacks by Event ID.

124 ISO: McAfee AntiVirus: Attacks by Threat Name

McAfee AntiVirus Attacks by Threat Name.

125 ISO: McAfee AntiVirus: Attacks Detected McAfee AntiVirus Attacks Detected.




126 ISO: Microsoft Operations Manager - Windows Accounts Activities

Displays all accounts activities on Windows servers to ensure authorized and appropriate access.

127 ISO: Microsoft Operations Manager - Windows Accounts Created

Displays all accounts created on Windows servers to ensure authorized and appropriate access.

128 ISO: Microsoft Operations Manager - Windows Accounts Enabled

Displays all accounts enabled on Windows servers to ensure authorized and appropriate access.

129 ISO: Microsoft Operations Manager - Windows Password Changes

Displays all password change activities on Windows servers to ensure authorized and appropriate access.

130 ISO: Microsoft Operations Manager - Windows Permissions Modify

Displays all permission modification activities on Windows Servers to ensure authorized access.

131 ISO: Microsoft Operations Manager - Windows Policies Modified

Displays all policy modification activities on Windows servers to ensure authorized and appropriate access.

132 ISO: Microsoft Operations Manager - Windows Servers Restarted

Displays all Windows server restart activities to detect unusual activities.

133 ISO: Microsoft Sharepoint Permissions Changed

Displays all delete and update events to Microsoft Sharepoint user/group permissions.

134 ISO: Microsoft Sharepoint Policy Add, Remove, or Modify

Displays all events when a Microsoft Sharepoint policy is added, removed, or modified.

135 ISO: Microsoft SQL Server Database Failed Logins

Displays failed Microsoft SQL Server database logins.

136 ISO: Microsoft SQL Server Database Logins Displays logins to Microsoft SQL Server databases.

137 ISO: NetApp Filer Backup Errors Displays all backup errors that have occurred on the NetApp Filer servers.

138 ISO: NetApp Filer Disk Failure Displays all disk failure events on the NetApp Filer servers.

139 ISO: NetApp Filer Disk Missing Displays events that indicate disk missing on the NetApp Filer servers.

140 ISO: NetApp Filer File System Full Displays events that indicate the NetApp Filer’s disk is near full.

141 ISO: NetApp Filer Snapshot Error Displays events that indicate backup on the NetApp Filer has failed.

142 ISO: NTP Clock Synchronized Displays events that indicate NTP has successfully synchronized the clock.

143 ISO: NTP Daemon Exited Displays events that indicate the NTP service has stopped.

144 ISO: NTP Server Unreachable Displays events that indicate the remote NTP server is not reachable.

145 ISO: Oracle Database Failed Logins Displays all failed login attempts to the Oracle database.

146 ISO: Oracle Database Logins Displays Oracle database logins.

147 ISO: Periodic Review of Log Reports Displays all review activities performed by administrators to ensure review for any access violations.

148 ISO: Periodic Review of User Access Logs Displays all review activities performed by administrators to ensure review for any access violations.

149 ISO: RACF Accounts Created Displays all accounts created on RACF servers to ensure authorized and appropriate access.

150 ISO: RACF Accounts Deleted Displays all accounts deleted on RACF servers to ensure authorized and appropriate access.

151 ISO: RACF Failed Logins Displays all failed login attempts to review any access violations or unusual activity.

152 ISO: RACF Files Accessed Displays all files accessed on RACF servers to ensure appropriate access.

153 ISO: RACF Password Changed Displays all password change activities on RACF servers to ensure authorized and appropriate access.




154 ISO: RACF Permissions Changed Displays all permission modification activities on RACF to ensure authorized access.

155 ISO: RACF Process Started Displays all processes started on the RACF servers.

156 ISO: RACF Successful Logins Displays successful logins to ensure only authorized personnel have access.

157 ISO: Sybase ASE Failed Logins Displays failed Sybase ASE database logins.

158 ISO: Sybase ASE Successful Logins Displays successful Sybase ASE database logins.

159 ISO: Symantec AntiVirus: Attacks by Threat Name

Symantec AntiVirus Attacks by Threat Name.

160 ISO: Symantec AntiVirus: Attacks Detected Attacks Detected by Symantec AntiVirus.

161 ISO: Symantec AntiVirus: Scans Scans using Symantec AntiVirus.

162 ISO: Symantec AntiVirus: Updated Updates to Symantec AntiVirus.

163 ISO: System Restarted Displays all logs related to system restarts.

164 ISO: TrendMicro Control Manager: Attacks Detected

Attacks Detected by TrendMicro Office Scan and reported to Control Manager.

165 ISO: TrendMicro Control Manager: Attacks Detected by Threat

Attacks detected by TrendMicro Control Manager by threat name.

166 ISO: TrendMicro OfficeScan: Attacks Detected

Attacks Detected by TrendMicro OfficeScan.

167 ISO: TrendMicro OfficeScan: Attacks Detected by Threat Name

Attacks detected by TrendMicro OfficeScan by threat name.

168 ISO: UNIX Account Activities Displays all accounts activities on UNIX servers to ensure authorized and appropriate access.

169 ISO: UNIX Accounts Created Displays all accounts created on UNIX servers to ensure authorized and appropriate access.

170 ISO: UNIX Accounts Deleted Displays all accounts deleted on UNIX servers to ensure authorized and appropriate access.

171 ISO: UNIX Failed Logins Failed UNIX logins for known and unknown users.

172 ISO: UNIX Group Activities Displays all group activities on UNIX servers to ensure authorized and appropriate access.

173 ISO: vCenter Change Attributes Modification of VMWare vCenter and VMWare ESX properties.

174 ISO: vCenter Data Move Entity has been moved within the VMWare vCenter Infrastructure.

175 ISO: vCenter Datastore Events Displays create, modify, and delete datastore events on VMWare vCenter.

176 ISO: vCenter Failed Logins Failed logins to the VMWare vCenter Console.

177 ISO: vCenter Modify Firewall Policy Displays changes to the VMWare ESX allowed services firewall policy.

178 ISO: vCenter Resource Usage Change Resources have changed on VMWare vCenter.

179 ISO: vCenter Restart ESX Services VMWare vCenter restarted services running on VMWare ESX Server.

180 ISO: vCenter Shutdown or Restart of ESX Server

VMWare ESX Server is shutdown or restarted from VMWare vCenter console.

181 ISO: vCenter Successful Logins Successful logins to the VMWare vCenter Console.

182 ISO: vCenter User Permission Change A permission role has been added, changed, removed, or applied to a user on VMWare vCenter server.

183 ISO: vCenter Virtual Machine Created Virtual machine has been created from VMWare vCenter console.

184 ISO: vCenter Virtual Machine Deleted Virtual machine has been deleted or removed from VMWare vCenter console.




185 ISO: vCenter Virtual Machine Shutdown Virtual machine has been shutdown or paused from VMWare vCenter console.

186 ISO: vCenter Virtual Machine Started Virtual machine has been started or resumed from VMWare vCenter console.

187 ISO: vCenter vSwitch Changed or Removed vSwitch on VMWare ESX server has been modified or removed from the VMWare vCenter console.

188 ISO: vCloud Failed Logins Failed logins to the VMWare vCloud Director Console.

189 ISO: vCloud Organization Created Vmware vCloud Director organization created events.

190 ISO: vCloud Organization Deleted VMWare vCloud Director organization deleted events.

191 ISO: vCloud Organization Modified VMWare vCloud Director organization modified events.

192 ISO: vCloud Successful Logins Successful logins to the VMWare vCloud Director Console.

193 ISO: vCloud User Created VMWare vCloud Director user created events.

194 ISO: vCloud User Deleted or Removed VMWare vCloud Director users have been deleted or removed from the system.

195 ISO: vCloud vApp Created, Modified, or Deleted

VMWare vCloud Director vApp created, deleted, and modified events.

196 ISO: vCloud vDC Create, Modify, or Delete VMWare vCloud Director virtual datacenter created, modified, or deleted events.

197 ISO: VPN Active Connections Displays all currently active VPN connections.

198 ISO: VPN Connection Disconnect Reasons Displays the disconnect reasons for VPN connections.

199 ISO: VPN Connections by Users Displays users who are made the most connections.

200 ISO: VPN Denied Connections by Users Displays users with the most denied connections.

201 ISO: VPN Sessions by Users Displays all VPN sessions categorized by authenticated users.

202 ISO: VPN Users Accessing Corporate Network

Displays all users logging into the corporate network via Virtual Private Network to ensure appropriate access.

203 ISO: vShield Edge Configuration Changes Displays changes to VMWare vShield Edge policies.

204 ISO: vShield Risky Firewall Traffic Displays all allowed VMWare vShield Edge firewall traffic that are considered risky.

205 ISO: Windows Accounts Activities Displays all accounts activities on Windows servers to ensure authorized and appropriate access.

206 ISO: Windows Accounts Created Displays all accounts created on Windows servers to ensure authorized and appropriate access.

207 ISO: Windows Accounts Deleted Displays all accounts deleted on Windows servers to ensure authorized and appropriate access.

208 ISO: Windows Accounts Enabled Displays all accounts enabled on Windows servers to ensure authorized and appropriate access.

209 ISO: Windows Accounts Locked Displays all accounts locked out of Windows servers to detect access violations or unusual activities.

210 ISO: Windows Audit Logs Cleared Displays all audit logs clearing activities on Windows servers to detect access violations or unusual activity.

211 ISO: Windows Creation and Deletion of System Level Objects

Displays all Windows events related to creation and deletion of system level objects.

212 ISO: Windows Domain Activities Displays all trusted domains deleted on Windows servers to ensure authorized and appropriate access.

213 ISO: Windows Group Activities Displays all group activities on Windows servers to ensure authorized and appropriate access.




214 ISO: Windows Group Members Added Displays all accounts added to groups on the Windows servers to ensure appropriate access.

215 ISO: Windows Group Members Deleted Displays all accounts removed from groups on the Windows servers to ensure appropriate access.

216 ISO: Windows New Services Installed Displays a list of new services installed on Windows servers to ensure authorized access.

217 ISO: Windows Password Changes Displays all password change activities on Windows servers to ensure authorized and appropriate access.

218 ISO: Windows Permissions Modified Displays all permission modification activities on Windows Servers to ensure authorized access.

219 ISO: Windows Policies Modified Displays all policy modification activities on Windows Servers to ensure authorized and appropriate access.

220 ISO: Windows Programs Accessed Displays all programs started and stopped on servers to ensure appropriate access.

221 ISO: Windows Servers Restarted Displays all Windows server restart activities to detect unusual activities.

222 ISO: Windows Software Update Activities Displays all events related to the system's software or patch update.

223 ISO: Windows Software Update Failures Displays all failed events related to the system's software or patch update.

224 ISO: Windows Software Update Successes Displays all successful events related to the system's software or patch update.



LogLogic Reports and Alerts for ISO/IEC 27002 : LogLogic Alerts for ISO/IEC 27002

LogLogic Alerts for ISO/IEC 27002The following table lists the alerts included in the LogLogic Compliance Suite: ISO/IEC 27002 Edition.

# LogLogic Alert Description

1 ISO: Accounts Created Alert when a new account is created on servers.

2 ISO: Accounts Deleted Alert when an account is deleted on servers.

3 ISO: Accounts Enabled Alert when an account has been enabled on servers.

4 ISO: Accounts Locked Alert when an account has been locked on servers.

5 ISO: Accounts Modified Alert when an account is modified on servers.

6 ISO: Active Directory Changes Changes made within Active Directory.

7 ISO: Anomalous Firewall Traffic Alert when firewall traffic patterns is out of the norm.

8 ISO: Anomalous IDS Alerts Alert when IDS anomalies are above or below defined thresholds.

9 ISO: Cisco PIX, ASA, FWSM Commands Executed

Alert when a Cisco PIX, ASA, and FWSM commands are executed.

10 ISO: Cisco PIX, ASA, FWSM Failover Disabled

Alert when a Cisco PIX, ASA, and FWSM HA configuration is disabled.

11 ISO: Cisco PIX, ASA, FWSM Failover Performed

Alert when a failover has occurred on the Cisco PIX, ASA, and FWSM.

12 ISO: Cisco PIX, ASA, FWSM Policy Changed

Alert when a Cisco PIX, ASA, and FWSM policy have been modified.

13 ISO: Cisco PIX, ASA, FWSM Routing Failure

Alert when routing failure occurred in the Cisco PIX, ASA, and FWSM.

14 ISO: Cisco Switch Policy Changed Alert when Cisco router or switch configuration has been modified.

15 ISO: CVS Source Code Repository Failed Access

Alert when access to CVS repository has failed.

16 ISO: Escalated Privileges Alert when a user or program has escalated the privileges.

17 ISO: Firewall Traffic Besides SSL and SSH Displays all traffic passing through the firewall that is not SSL or SSH.

18 ISO: Firewall Traffic Considered Risky Alert on traffic besides HTTP, SSL & SSH passing the firewall.

19 ISO: Group Members Added Alert when new members are added to user groups.

20 ISO: Group Members Deleted Alert when members are removed from user groups.

21 ISO: Groups Created Alert when new user groups are created.

22 ISO: Groups Deleted Alert when a user group is deleted.

23 ISO: Groups Modified Alert when a user group has been modified.

24 ISO: Guardium SQL Guard Logins Alert when a user logs into the Guardium SQL Database.

25 ISO: i5OS Network Profile Changes Alerts when any changes are made to an i5OS network profile.

26 ISO: i5OS Permission or Policy Change Alerts when policies or permissions are change on the i5OS.

27 ISO: i5OS Server or Service Status Change Alerts when the i5OS is restarted or a service stops or starts.

28 ISO: i5OS Software Updates Alert when events related to the i5OS software updates.

29 ISO: i5OS User Profile Changes Alerts when a user profile is changed on the i5OS.

30 ISO: Juniper Firewall HA State Change Alert when Juniper Firewall has changed its failover state.

31 ISO: Juniper Firewall Peer Missing Alert when a Juniper Firewall HA peer is missing.

32 ISO: Juniper Firewall Policy Changes Alert when Juniper firewall configuration is changed.

33 ISO: Juniper Firewall Policy Out of Sync Alert when the Juniper Firewall’s policy is out of sync.



34 ISO: Juniper VPN Policy Change Alert on Juniper VPN policy or configuration change.

35 ISO: Juniper VPN System Failure Alert on Juniper VPN system failures.

36 ISO: Logins Failed Alert when login failures are over the defined threshold.

37 ISO: Logins Succeeded Alert when successful logins are over the defined threshold.

38 ISO: LogLogic Disk Full Alert when the LogLogic Appliance's disk is near full.

39 ISO: LogLogic DSM Logins Alert when a user logs into the LogLogic DSM database.

40 ISO: LogLogic HA State Changed Alert when the LogLogic appliance failover state changes.

41 ISO: LogLogic Message Routing Errors Alert when problems are detected during message forwarding.

42 ISO: LogLogic NTP Service Stopped Alert when the LogLogic NTP engine has stopped.

43 ISO: LogLogic Retrieval Errors Alert when problems are detected during log file retrieval.

44 ISO: Microsoft Sharepoint Permission Changed

Alerts on Microsoft Sharepoint permission changed events.

45 ISO: Microsoft Sharepoint Policies Added, Removed, Modified

Alerts on Microsoft Sharepoint policy additions, deleteions, and modifications.

46 ISO: NetApp Authentication Failure Alerts when NetApp authentication failure events occur.

47 ISO: NetApp Bad File Handle Alerts when a bad file handle is detected on a NetApp device.

48 ISO: NetApp Filer Disk Failure Disks are failing on the NetApp Filer device.

49 ISO: NetApp Filer Disk Inserted Alert whenever a disk is inserted into a NetApp filer.

50 ISO: NetApp Filer Disk Missing Disk is missing on the NetApp Filer device.

51 ISO: NetApp Filer Disk Pulled Alert when a RAID disk has been pulled from the Filer device.

52 ISO: NetApp Filer File System Full The file system is full on the NetApp Filer device.

53 ISO: NetApp Filer Snapshot Error The NetApp Filer device is experiencing backup problems.

54 ISO: NetApp NIS Group Update Alert on NIS group updates on NetApp devices.

55 ISO: NetApp Unauthorized Mounting Alert when an unauthorised mount event occurs.

56 ISO: NTP Daemon Exited Alert when the NTP service has stopped.

57 ISO: NTP Server Unreachable Alert when the remote NTP server is unreachable.

58 ISO: RACF Files Accessed Show files accessed on the RACF servers.

59 ISO: RACF Passwords Changed Alert when users have changed their passwords.

60 ISO: RACF Permissions Changed Alert when user or group permissions have been changed.

61 ISO: RACF Process Started Alert whenever a process is run on a RACF server.

62 ISO: System Restarted Alert when systems such as routers and switches have restarted.

63 ISO: vCenter Create Virtual Machine Virtual machine has been created from VMWare vCenter console.

64 ISO: vCenter Data Move Entity has been moved within the VMWare vCenter Infrastructure.

65 ISO: vCenter Datastore Event Displays create, modify, and delete datastore events on VMWare vCenter.

66 ISO: vCenter Delete Virtual Machine Virtual machine has been deleted or removed from WMWare vCenter console.

67 ISO: vCenter Firewall Policy Change Displays changes to the VMWare ESX allowed services firewall policy.

68 ISO: vCenter Permission Change A permission role has been added, changed, removed, or applied on VMWare vCenter.

69 ISO: vCenter Restart ESX Services VMWare vCenter restarted services running on VMWare ESX Server.

70 ISO: vCenter Shutdown or Restart ESX VMWare ESX Server is shutdown from vCenter console.

71 ISO: vCenter User Login Failed Failed logins to the VMWare vCenter Console.




72 ISO: vCenter User Login Successful Successful logins to the VMWare vCenter Console.

73 ISO: vCenter Virtual Machine Shutdown Virtual machine has been shutdown or paused from VMWare vCenter console.

74 ISO: vCenter Virtual Machine Started Virtual machine has been started or resumed from VMWare vCenter console.

75 ISO: vCenter vSwitch Modify or Delete vSwitch on VMWare ESX server has been modified or removed from vCenter.

76 ISO: vCloud Director Login Failed Failed logins to the VMWare vCloud Director console.

77 ISO: vCloud Director Login Success Successful logins to the VMWare vCloud Director console.

78 ISO: vCloud Organization Created Organization successfully created on VMWare vCloud Director.

79 ISO: vCloud Organization Deleted Organization successfully deleted on VMWare vCloud Director.

80 ISO: vCloud Organization Modified Organization successfully modified on VMWare vCloud Director.

81 ISO: vCloud User Created User successfully created on VMWare vCloud Director

82 ISO: vCloud User, Group, or Role Modified VMWare vCloud Director user, group, or role has been modified.

83 ISO: vCloud vApp Created, Deleted, or Modified

VMWare vCloud Director vApp has been created, deleted, or modified.

84 ISO: vCloud vDC Created, Modified, or Deleted

VMWare vCloud Director Virtual Datacenters have been created, deleted, or modified.

85 ISO: vShield Edge Configuration Change Alerts on configuration changes to VMWare vShield Edge policies.

86 ISO: vShield Firewall Traffic Besides SSH and SSL

VMWare vShield Edge traffic besides SSH and SSL

87 ISO: vShield Risky Traffic VMWare vShield Edge traffic considered risky.

88 ISO: Windows Audit Log Cleared Alert when audit logs on Windows servers have been cleared.

89 ISO: Windows Files Accessed Show files accessed on the Windows servers.

90 ISO: Windows Objects Create/Delete Alert when system level objects have been created or deleted.

91 ISO: Windows Passwords Changed Alert when users have changed their passwords.

92 ISO: Windows Permissions Changed Alert when user or group permissions have been changed.

93 ISO: Windows Policies Changed Alert when Windows policies changed.

94 ISO: Windows Process Started Displays all processes started on Windows Servers.

95 ISO: Windows Programs Accessed Programs started on the Windows servers.

96 ISO: Windows Software Updates Alert when events related to the Windows' software updates.

97 ISO: Windows Software Updates Failed Alert when failed events related to the software updates.

98 ISO: Windows Software Updates Succeeded Alert for successful events related to the software updates.



LogLogic Reports and Alerts for ISO/IEC 27002 : LogLogic Reports and Alerts Quick Reference

LogLogic Reports and Alerts Quick ReferenceThe following table lists the reports and alerts included in the LogLogic Compliance Suite for ISO/IEC 27002.

Section Description LogLogic Reports and Alerts

Section 8 – Human resources security

8.1.1 Roles and Responsibilities Compliance Suite Reports

ISO: Active Directory System Changes

ISO: i5OS DST Password Reset

ISO: ESX Account Activities

ISO: ESX Accounts Created

ISO: ESX Group Activities

ISO: Microsoft Operations Manager - Windows Accounts Activities

ISO: Microsoft Operations Manager - Windows Password Changes

ISO: Microsoft Operations Manager - Windows Permissions Modify

ISO: Microsoft Sharepoint Permissions Changed

ISO: i5OS Network User Profile Creation

ISO: i5OS Object Permissions Modified

ISO: i5OS User Profile Creation

ISO: RACF Accounts Created

ISO: RACF Password Changed

ISO: RACF Permissions Changed

ISO: UNIX Account Activities

ISO: UNIX Group Activities

ISO: vCenter User Permission Change

ISO: vCloud User Created

ISO: vCloud User Deleted or Removed

ISO: Windows Accounts Activities

ISO: Windows Group Activities

ISO: Windows Group Members Added

ISO: Windows Group Members Deleted

ISO: Windows Password Changes

ISO: Windows Permissions Modified



8.1.1 Roles and Responsibilities Compliance Suite Alerts

ISO: Accounts Created

ISO: Accounts Enabled

ISO: Accounts Modified

ISO: Active Directory Changes

ISO: Group Members Added

ISO: Groups Created

ISO: i5OS Network Profile Changes

ISO: i5OS Permission or Policy Change

ISO: i5OS User Profile Changes

ISO: Microsoft Sharepoint Permission Changed

ISO: NetApp NIS Group Update (Exact)

ISO: RACF Passwords Changed


ISO: vCenter Permission Change


ISO: vCloud User, Group, or Role Modified

ISO: Windows Passwords Changed

ISO: Windows Permissions Changed




8.3.3 Removal of Access Rights Compliance Suite Reports

ISO: Accepted VPN Connections - RADIUS


ISO: Check Point Management Station Login

ISO: DB2 Database Logins

ISO: ESX Accounts Deleted

ISO: ESX Logins Succeeded

ISO: Guardium SQL Guard Audit Logins

ISO: Guardium SQL Guard Logins

ISO: i5OS Network User Login Successful

ISO: i5OS Network User Profile Deletion


ISO: i5OS User Login Successful

ISO: Juniper SSL VPN Successful Logins

ISO: Juniper SSL VPN (Secure Access) Successful Logins

ISO: Logins Succeeded

ISO: LogLogic DSM Logins



ISO: Microsoft SQL Server Database Logins

ISO: Oracle Database Logins

ISO: RACF Accounts Deleted


ISO: RACF Successful Logins

ISO: Sybase ASE Successful Logins

ISO: UNIX Accounts Deleted


ISO: vCenter Successful Logins


ISO: vCloud Successful Logins


ISO: VPN Users Accessing Corporate Network

ISO: Windows Accounts Deleted

ISO: Windows Accounts Locked






8.3.3 Removal of Access Rights Compliance Suite Alerts

ISO: Accounts Deleted

ISO: Accounts Locked



ISO: Group Members Deleted

ISO: Groups Modified










ISO: vCenter User Login Successful

ISO: vCloud Director Login Success






Section 10 – Communications and Operations Management

10.1.2 Change Management Compliance Suite ReportsISO: Active Directory System Changes

ISO: Check Point Configuration Changes

ISO: Check Point Object Activity

ISO: Cisco PIX, ASA, FWSM Failover Disabled

ISO: Cisco PIX, ASA, FWSM Failover Performed

ISO: Cisco PIX, ASA, FWSM Policy Changed

ISO: Cisco Switch Policy Changes







ISO: Juniper Firewall HA State Changed

ISO: Juniper Firewall Policy Changed




ISO: Microsoft Operations Manager - Windows Policies Modified


ISO: Microsoft Sharepoint Policy Add, Remove, or Modify






ISO: vCenter Change Attributes

ISO: vCenter Modify Firewall Policy

ISO: vCenter Resource Usage Change


ISO: vCenter Virtual Machine Created

ISO: vCenter Virtual Machine Deleted

ISO: vCenter vSwitch Changed or Removed

ISO: vCloud Organization Created

ISO: vCloud Organization Deleted

ISO: vCloud Organization Modified


ISO: vCloud vApp Created, Modified, or Deleted

ISO: vCloud vDC Create, Modify, or Delete




10.1.2 Change Management Compliance Suite Reports - ContinuedISO: vShield Edge Configuration Changes


ISO: Windows Domain Activities


ISO: Windows New Services Installed



ISO: Windows Policies Modified




10.1.2 Change Management Compliance Suite AlertsISO: Accounts Created








ISO: Cisco Switch Policy Changed




ISO: i5OS Server or Service Status Change

ISO: Juniper Firewall HA State Change

ISO: Juniper Firewall Policy Changes

ISO: Juniper VPN Policy Change

ISO: Juniper VPN System Failure


ISO: Microsoft Sharepoint Policies Added, Removed, Modified



ISO: vCenter Create Virtual Machine

ISO: vCenter Delete Virtual Machine

ISO: vCenter Firewall Policy Change


ISO: vCenter vSwitch Modify or Delete






ISO: vCloud vApp Created, Deleted, or Modified

ISO: vCloud vDC Created, Modified, or Deleted

ISO: vShield Edge Configuration Change


ISO: Windows Policies Changed

ISO: Windows Process Started




10.1.3 Segregation of Duties Compliance Suite ReportsISO: Active Directory System Changes






























10.1.3 Segregation of Duties Compliance Suite AlertsISO: Accounts Created






ISO: Groups Created


















10.1.4 Separation of Development, Test, and Operational Facilities

Compliance Suite ReportsISO: Check Point Configuration Changes




ISO: Firewall Traffic Considered Risky - Check Point

ISO: Firewall Traffic Considered Risky - Cisco ASA

ISO: Firewall Traffic Considered Risky - Cisco FWSM

ISO: Firewall Traffic Considered Risky - Cisco PIX

ISO: Firewall Traffic Considered Risky - Fortinet

ISO: Firewall Traffic Considered Risky - Juniper Firewall

ISO: Firewall Traffic Considered Risky - Juniper RT Flow

ISO: Firewall Traffic Considered Risky - Nortel





ISO: vShield Edge Configuration Changes

ISO: vShield Risky Firewall Traffic

Compliance Suite AlertsISO: Cisco PIX, ASA, FWSM Policy Changed


ISO: Firewall Traffic Considered Risky







ISO: vShield Risky Traffic




10.2.2 Monitoring and Review of Third Party Services

Compliance Suite Reports

ISO: Cisco Line Protocol Status Changes

ISO: Cisco Link Status Changes



ISO: ESX Kernel log daemon terminating

ISO: ESX Kernel logging Stop

ISO: ESX Syslogd Restart

ISO: i5OS Restarted


ISO: Microsoft Operations Manager - Windows Servers Restarted

ISO: Periodic Review of Log Reports

ISO: Periodic Review of User Access Logs

ISO: System Restarted

ISO: vCenter Restart ESX Services

ISO: vCenter Shutdown or Restart of ESX Server

ISO: vCenter Virtual Machine Shutdown

ISO: vCenter Virtual Machine Started

ISO: Windows Servers Restarted

Compliance Suite Alerts






ISO: vCenter Restart ESX Services

ISO: vCenter Shutdown or Restart ESX



10.3.1 Capacity Management Compliance Suite Reports

ISO: LogLogic Disk Full

ISO: NetApp Filer File System Full








10.4.1 Controls Against Malicious Code


ISO: Firewall Connections Denied - Check Point

ISO: Firewall Connections Denied - Cisco ASA

ISO: Firewall Connections Denied - Cisco FWSM

ISO: Firewall Connections Denied - Cisco PIX

ISO: Firewall Connections Denied - Cisco Router

ISO: Firewall Connections Denied - Juniper Firewall

ISO: Firewall Connections Denied - Fortinet

ISO: Firewall Connections Denied - Juniper RT Flow

ISO: Firewall Connections Denied - Nortel

ISO: IDS Attacks by Applications

ISO: IDS Attacks Detected

ISO: McAfee AntiVirus: Attacks by Event ID

ISO: McAfee AntiVirus: Attacks by Threat Name

ISO: McAfee AntiVirus: Attacks Detected

ISO: Symantec AntiVirus: Attacks by Threat Name

ISO: Symantec AntiVirus: Attacks Detected

ISO: Symantec AntiVirus: Scans

ISO: Symantec AntiVirus: Updated


ISO: TrendMicro Control Manager: Attacks Detected

ISO: TrendMicro Control Manager: Attacks Detected by Threat

ISO: TrendMicro OfficeScan: Attacks Detected

ISO: TrendMicro OfficeScan: Attacks Detected by Threat Name



ISO: Anomalous IDS Alerts



10.4.2 Controls Against Mobile Code



10.5.1 Information Backup Compliance Suite Reports

ISO: NetApp Filer Backup Errors

ISO: NetApp Filer Disk Failure

ISO: NetApp Filer Disk Missing

ISO: NetApp Filer Snapshot Error



ISO: NetApp Filer Disk Inserted


ISO: NetApp Filer Disk Pulled



ISO: NetApp Unauthorized Mounting




10.6.1 Network Controls Compliance Suite ReportsISO: Check Point Configuration Changes




ISO: Firewall Connections Accepted - Check Point

ISO: Firewall Connections Accepted - Cisco ASA

ISO: Firewall Connections Accepted - Cisco FWSM

ISO: Firewall Connections Accepted - Cisco PIX

ISO: Firewall Connections Accepted - Fortinet

ISO: Firewall Connections Accepted - Juniper Firewall

ISO: Firewall Connections Accepted - Juniper RT Flow

ISO: Firewall Connections Accepted - Nortel

ISO: Firewall Connections By Applications - Check Point

ISO: Firewall Connections By Applications - Cisco ASA

ISO: Firewall Connections By Applications - Cisco FWSM

ISO: Firewall Connections by Applications - Cisco PIX

ISO: Firewall Connections By Applications - Fortinet

ISO: Firewall Connections By Applications - Juniper Firewall

ISO: Firewall Connections By Applications - Nortel




















10.6.1 Network Controls Compliance Suite AlertsISO: Cisco PIX, ASA, FWSM Policy Changed





10.6.2 Security of Network Services Compliance Suite ReportsISO: Check Point Configuration Changes











































10.6.2 Security of Network Services Compliance Suite AlertsISO: Anomalous Firewall Traffic








10.8.4 Electronic Messaging Compliance Suite Reports

ISO: Email Domains Experiencing Delay - Exchange 2000/2003

ISO: Email Domains Sending the Most Email - Exchange 2000/2003

ISO: Email Recipients Receiving the Most Emails - Exchange 2000/2003

ISO: Email Recipients Receiving the Most Emails by Count - Exchange 2007

ISO: Email Sender and Recipients Exchanging the Most Emails - Exchange 2000/2003

ISO: Email Sender and Recipients Exchanging the Most Emails - Exchange 2007

ISO: Email Senders Sending the Most Email - Exchange 2000/2003

ISO: Email Senders Sending the Most Emails by Count - Exchange 2007

ISO: Email Source IP Sending To Most Recipients - Exchange 2000/2003

ISO: Email Source IP Sending To Most Recipients - Pop/IMAP

10.10.1 Audit Logging Compliance Suite Reports


ISO: LogLogic File Retrieval Errors

ISO: LogLogic Message Routing Errors

ISO: Windows Audit Logs Cleared





ISO: LogLogic Retrieval Errors

ISO: Windows Audit Log Cleared




10.10.2 Monitoring System Use Compliance Suite ReportsISO: Accepted VPN Connections - RADIUS


ISO: DB2 Database Failed Logins


ISO: Denied VPN Connections - RADIUS

ISO: Escalated Privilege Activities on Servers




ISO: ESX Failed Logins


ISO: ESX Logins Failed Unknown User


ISO: Files Accessed on Servers



ISO: i5OS Files Accessed

ISO: i5OS Network User Login Failed



ISO: i5OS Password Errors

ISO: i5OS Service Started

ISO: i5OS User Login Failed





ISO: Logins Failed




ISO: Microsoft SQL Server Database Failed Logins


ISO: Oracle Database Failed Logins



ISO: RACF Failed Logins

ISO: RACF Files Accessed




10.10.2 Monitoring System Use Compliance Suite Reports - Continued

ISO: RACF Process Started


ISO: Sybase ASE Failed Logins



ISO: UNIX Failed Logins


ISO: vCenter Data Move

ISO: vCenter Datastore Events

ISO: vCenter Failed Logins


ISO: vCloud Failed Logins







ISO: Windows Programs Accessed




10.10.2 Monitoring System Use Compliance Suite Alerts






ISO: Escalated Privileges

ISO: Groups Created

ISO: Groups Deleted





ISO: Logins Failed



ISO: NetApp Authentication Failure





ISO: vCenter Datastore Event

ISO: vCenter User Login Failed


ISO: vCloud Director Login Failed



ISO: Windows Files Accessed





10.10.3 Protection of Log Information







ISO: Windows Audit Logs Cleared






10.10.4 Administrative and Operator Logs


ISO: Administrators Activities on Servers


ISO: Last Activities Performed by Administrators


ISO: Escalated Privileges




10.10.5 Fault Logging Compliance Suite Reports

ISO: Cisco Line Protocol Status Changes

ISO: Cisco Link Status Changes

ISO: Cisco Peer Reset/Reload

ISO: Cisco Peer Supervisor Status Changes



ISO: Cisco PIX, ASA, FWSM Restarted

ISO: Cisco Redundancy Version Check Failed

ISO: Cisco System Restarted


ISO: Juniper Firewall Policy Out of Sync

ISO: Juniper Firewall Reset Accepted

ISO: Juniper Firewall Reset Imminent

ISO: Juniper Firewall Restarted (Index)


ISO: LogLogic HA State Changed

ISO: NetApp Filer Backup Errors








ISO: Juniper Firewall Peer Missing

ISO: Juniper Firewall Policy Out of Sync

ISO: Loglogic Disk Full

ISO: Loglogic HA State Change

ISO: NetApp Bad File Handle



ISO: NetApp Filer Disk Inserted


ISO: NetApp Filer Disk Pulled



ISO: NetApp Unauthorized Mounting




10.10.6 Clock Synchronization Compliance Suite ReportsISO: LogLogic NTP Service Stopped

ISO: NTP Clock Synchronized

ISO: NTP Daemon Exited

ISO: NTP Server Unreachable

Compliance Suite AlertsISO: LogLogic NTP Service Stopped

ISO: NTP Daemon Exited

ISO: NTP Server Unreachable




Section 11 – Access Control

11.2.1 User Registration Compliance Suite ReportsISO: Accepted VPN Connections - RADIUSISO: Check Point Management Station LoginISO: DB2 Database Failed LoginsISO: DB2 Database LoginsISO: Denied VPN Connections - RADIUSISO: ESX Accounts CreatedISO: ESX Failed LoginsISO: ESX Logins Failed Unknown UserISO: ESX Logins SucceededISO: Guardium SQL Guard Audit LoginsISO: Guardium SQL Guard LoginsISO: i5OS Network User Login FailedISO: i5OS Network User Login SuccessfulISO: i5OS Network User Profile CreationISO: i5OS Password ErrorsISO: i5OS User Login FailedISO: i5OS User Login SuccessfulISO: i5OS User Profile CreationISO: Juniper SSL VPN Successful LoginsISO: Juniper SSL VPN (Secure Access) Successful LoginsISO: Logins FailedISO: Logins SucceededISO: LogLogic DSM LoginsISO: Microsoft Operations Manager - Windows Accounts CreatedISO: Microsoft Operations Manager - Windows Accounts EnabledISO: Microsoft SQL Server Database Failed LoginsISO: Microsoft SQL Server Database LoginsISO: Oracle Database Failed LoginsISO: Oracle Database LoginsISO: RACF Accounts CreatedISO: RACF Failed LoginsISO: RACF Successful LoginsISO: Sybase ASE Failed LoginsISO: Sybase ASE Successful LoginsISO: UNIX Accounts CreatedISO: UNIX Failed LoginsISO: vCenter Failed LoginsISO: vCenter Successful LoginsISO: vCloud Failed LoginsISO: vCloud Successful LoginsISO: vCloud User CreatedISO: VPN Users Accessing Corporate NetworkISO: Windows Accounts CreatedISO: Windows Accounts Enabled




11.2.1 User Registration Compliance Suite AlertsISO: Accounts Created




ISO: Logins Failed













11.2.2 Privilege Management Compliance Suite ReportsISO: Accepted VPN Connections - RADIUS










ISO: i5OS Files Accessed






























11.2.2 Privilege Management Compliance Suite Reports - Continued


ISO: vCenter Datastore Events











11.2.2 Privilege Management Compliance Suite AlertsISO: Accounts Created



ISO: Groups Created




ISO: Logins Failed





ISO: vCenter Datastore Event






ISO: Windows Files Accessed





11.2.3 User Password Management Compliance Suite ReportsISO: i5OS DST Password Reset




Compliance Suite AlertsISO: RACF Passwords Changed





11.2.4 Review of User Access Rights Compliance Suite Reports



























ISO: Logins Failed






ISO: Microsoft Operations Manager - Windows Policies Modified


ISO: Microsoft Sharepoint Policy Add, Remove, or Modify






11.2.4 Review of User Access Rights Compliance Suite Reports - Continued
























ISO: Windows Policies Modified




11.2.4 Review of User Access Rights Compliance Suite AlertsISO: Accounts Created





ISO: Groups Created

ISO: Groups Deleted





ISO: Logins Failed




ISO: Microsoft Sharepoint Policies Added, Removed, Modified














ISO: Windows Policies Changed

11.3.1 Password Use Compliance Suite Reports

















ISO: Firewall Traffic Besides SSL and SSH - Check Point

ISO: Firewall Traffic Besides SSL and SSH - Cisco ASA

ISO: Firewall Traffic Besides SSL and SSH - Cisco FWSM

ISO: Firewall Traffic Besides SSL and SSH - Cisco PIX

ISO: Firewall Traffic Besides SSL and SSH - Fortinet

ISO: Firewall Traffic Besides SSL and SSH - Juniper Firewall

ISO: Firewall Traffic Besides SSL and SSH - Juniper RT Flow

ISO: Firewall Traffic Besides SSL and SSH - Nortel

















ISO: Juniper Firewall Policy Change









11.4.2 User Authentication for External Connections











ISO: VPN Active Connections

ISO: VPN Connection Disconnect Reasons

ISO: VPN Connections by Users

ISO: VPN Denied Connections by Users

ISO: VPN Sessions by Users






ISO: Logins Failed









11.4.4 Remote Diagnostic and Configuration Port Protection


































11.4.7 Network Routing Control Compliance Suite Reports


ISO: Cisco PIX, ASA, FWSM Routing Failure




















ISO: Cisco PIX, ASA, FWSM Routing Failure












11.5.1 Secure Log-on Procedures Compliance Suite Reports

ISO: Firewall Traffic Besides SSL and SSH - Check Point

ISO: Firewall Traffic Besides SSL and SSH - Cisco ASA

ISO: Firewall Traffic Besides SSL and SSH - Cisco FWSM

ISO: Firewall Traffic Besides SSL and SSH - Cisco PIX

ISO: Firewall Traffic Besides SSL and SSH - Fortinet

ISO: Firewall Traffic Besides SSL and SSH - Juniper Firewall

ISO: Firewall Traffic Besides SSL and SSH - Juniper RT Flow

ISO: Firewall Traffic Besides SSL and SSH - Nortel

ISO: Logins by Authentication Method


ISO: Firewall Traffic Besides SSL and SSH

ISO: vShield Firewall Traffic Besides SSH and SSL





Compliance Suite ReportsISO: Accepted VPN Connections - RADIUSISO: Check Point Management Station LoginISO: DB2 Database Failed LoginsISO: DB2 Database LoginsISO: Denied VPN Connections - RADIUSISO: ESX Accounts CreatedISO: ESX Failed LoginsISO: Guardium SQL Guard Audit LoginsISO: Guardium SQL Guard LoginsISO: ESX Logins Failed Unknown UserISO: ESX Logins SucceededISO: i5OS Network User Login FailedISO: i5OS Network User Login SuccessfulISO: i5OS Network User Profile CreationISO: i5OS Password ErrorsISO: i5OS User Login FailedISO: i5OS User Login SuccessfulISO: i5OS User Profile CreationISO: Juniper SSL VPN Successful LoginsISO: Juniper SSL VPN (Secure Access) Successful LoginsISO: Logins FailedISO: Logins SucceededISO: LogLogic DSM LoginsISO: Microsoft Operations Manager - Windows Accounts CreatedISO: Microsoft Operations Manager - Windows Accounts EnabledISO: Microsoft SQL Server Database Failed LoginsISO: Microsoft SQL Server Database LoginsISO: Oracle Database Failed LoginsISO: Oracle Database LoginsISO: RACF Accounts CreatedISO: RACF Failed LoginsISO: RACF Successful LoginsISO: Sybase ASE Failed LoginsISO: Sybase ASE Successful LoginsISO: UNIX Accounts CreatedISO: UNIX Failed LoginsISO: vCenter Failed LoginsISO: vCenter Successful LoginsISO: vCloud Failed LoginsISO: vCloud Successful LoginsISO: vCloud User CreatedISO: VPN Users Accessing Corporate NetworkISO: Windows Accounts CreatedISO: Windows Accounts Enabled





Compliance Suite AlertsISO: Accounts Created

ISO: Account Enabled



ISO: Logins Failed










11.5.3 Password Management System

Compliance Suite ReportsISO: i5OS DST Password Reset




Compliance Suite AlertsISO: RACF Passwords Changed


11.5.4 Use of System Utilities Compliance Suite ReportsISO: i5OS Service Started



Compliance Suite AlertsISO: RACF Process Started






























ISO: Logins Failed


















Compliance Suite Reports - Continued














Compliance Suite Alert







ISO: Logins Failed














11.6.2 Sensitive System Isolation Compliance Suite Reports











































11.6.2 Sensitive System Isolation Compliance Suite Alerts











Section 12 – Information systems acquisition, development and maintenance

12.4.1 Control of Operational Software








ISO: i5OS Restarted

ISO: i5OS Software Updates










ISO: Windows Software Update Activities

ISO: Windows Software Update Failures

ISO: Windows Software Update Successes

12.5.1 Change Control Procedures

12.5.2 Technical Review of Applications After Operating System Changes




12.4.112.5.112.5.2

















ISO: Windows Software Updates

ISO: Windows Software Updates Failed

ISO: Windows Software Updates Succeeded

12.4.3 Access Control to Program Source Code


ISO: CVS Source Code Repository Failed Access

ISO: CVS Source Code Repository Successful Access


ISO: CVS Source Code Repository Failed Access












ISO: i5OS Restarted










ISO: vCenter Virtual Machine Deleted








ISO: Windows Software Update Activities

ISO: Windows Software Update Failures

ISO: Windows Software Update Successes
















ISO: vCenter Delete Virtual Machine










ISO: Windows Software Updates

ISO: Windows Software Updates Failed

ISO: Windows Software Updates Succeeded

12.6.1 Control of Technical Vulnerabilities


ISO: IDS Attack Origins

ISO: IDS Attacks by Applications
















Section 13 – Information Security Incident Management

13.1.1 Reporting Information Security Events


ISO: IDS Attack Origins

ISO: IDS Attacks By Applications













13.1.2 Reporting Security Weaknesses




13.2.3 Collection of Evidence Compliance Suite Reports


















ISO: Logins Failed























ISO: Windows Creation and Deletion of System Level Objects





13.2.3 Collection of Evidence Compliance Suite Alerts



ISO: Account Enabled




ISO: Group Members Deleted







ISO: Windows Objects Create/Delete

Section 15 – Compliance

15.2.2 Technical Compliance Checking







IISO: Windows Audit Logs Cleared






15.3.1 Information Systems Audit Controls

15.3.2 Protection of Information System Audit Tools



CHAPTER 4:

Installing and Using the LogLogic Compliance Suite

This chapter provides information on how to install and use LogLogic’s ISO/IEC 27002 compliance suite on your LogLogic Appliance.

Setting Up the Compliance Suite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Using the Compliance Suite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

Setting Up the Compliance SuiteSetting up the LogLogic Compliance Suite: ISO/IEC 27002 Edition comprises checking that all prerequisites are met before starting the installation process, installing the Compliance Suite file, and enabling the alerts.

Prerequisites for Installing the Compliance Suite

Before installing the LogLogic Compliance Suite: ISO/IEC 27002 Edition, ensure that you have a LogLogic LX/MX Appliance running at least LogLogic Release 3.2.

Installing the Compliance Suite

The Compliance Suite includes one file containing ISO/IEC 27002 filters, custom reports, and alerts.

ISO27002.xml – ISO/IEC 27002 Reports, Search Filters, and Alerts

IMPORTANT! If you have previously imported any earlier versions of the Compliance Suite files, importing this version of the Compliance Suite will not overwrite the original files or any changes that have been made. If you have made any changes to base Compliance Suite alerts, search filters, or custom reports, LogLogic recommends saving these items with non-default names. This will help ensure that the latest Compliance Suite updates can be installed without any compatibility issues or naming conflicts.


Installing and Using the LogLogic Compliance Suite : Setting Up the Compliance Suite


To install the LogLogic Compliance Suite: ISO/IEC 27002 Edition:

1. Log in to your LogLogic LX/MX Appliance as Administrator.

2. From the navigation menu, select Administration > Import/Export.

The Import and Export tabs appear.

3. Load the Compliance Suite file by completing the following steps:

a. In the Import tab, click Browse.

b. In the File Upload window, select the appropriate XML file and then click Open.

Example 1 shows the File Upload window that appears after clicking Browse on the Import tab.

Figure 1 Example 1 – Loading a Compliance Suite File

c. Click Load.

This loads the Available Entities from the XML file.

d. Click Add All Entities.

Note: You can also select the specific ISO/IEC entity from the Available Entities text block, and then click Add Selected Entities.

Installing and Using the LogLogic Compliance Suite : Using the Compliance Suite

Example 2 shows all entities of the ISO XML file that were selected by clicking Add All Entities.

Figure 2 Example 2 – Selected Entities to be Imported

4. Click Import.

An import successfully completed message appears above the File Name text field.

Installation is complete after the XML file is imported successfully.

Using the Compliance SuiteOnce you have successfully installed the LogLogic Compliance Suite: ISO/IEC 27002 Edition, you can begin using the custom reports and alerts. The following sections help you view, test, and modify, the packaged custom reports and alerts. The custom reports and alerts were designed to run out-of-the box; however, LogLogic enables you to perform further customization if necessary.

Working with Compliance Suite Reports

All LogLogic Compliance Suite: ISO/IEC 27002 Edition reports are designed to run out-of-the box as well as to be flexible if you need to make modifications based on your business needs. For a description of all custom reports in this Compliance Suite, see LogLogic Reports for ISO/IEC 27002 on page 41.



Viewing Compliance Suite Reports and Output Data

This section describes how to access and view the Compliance Suite reports as well has how to run and view the output data.

To view and run Compliance Suite custom reports:

1. Log in to your LogLogic LX/MX Appliance as Administrator.

2. From the navigation menu, select Custom Reports > ISO/IEC 27002.

Note: You can also access all of your custom reports on the Appliance including the Compliance Suite reports you installed, by selecting Custom Reports > All Custom Reports.

3. On the Custom Reports page, you can see all of the custom reports you loaded during the installation process.

You can navigate through all of the custom reports using the page navigation buttons at the top and bottom of the Custom Reports page.

Example 3 shows a cropped list of the Compliance Suite reports loaded from the ISO XML file.

Figure 3 Example 3 – Compliance Suite Reports

4. Click the name of a report to see details such as, the Appliance where the report runs, the associated device type, and when the report runs.

a. To view the filter parameters, click Advanced Options.

b. To view details about a report such as the report name and description, click Update Saved Custom Report.

Example 4 shows the details of the ISO: Logins Failed report.



Figure 4 Example 4 – ISO: Logins Failed Report Details

5. Run the report to view the report output data by completing the following steps:

a. Click Run.

The report runs and returns data based on the set parameters.

b. To view detailed drill-down information, click any hyperlinked text.

Note: You can use the Back navigation button on your Web browser to return to the main data output view.

Example 5 shows sample results from the ISO: Logins Failed report.

Figure 5 Example 5 – ISO: Logins Failed Report Results



Note: If you want to modify the main data output view, you can modify the report parameters and then run the report again.

The following section provides more information on customizing reports.

Customizing Compliance Suite Reports

LogLogic Compliance Suite: ISO/IEC 27002 Edition reports are designed to run out-of-the-box to meet specific compliance requirements. However, you may want to modify the reports to include additional information or devices depending on your business needs.

To customize a report:

1. Make sure that you are on the Custom Reports page and click the name of a report you want to modify.

Note: You can create a copy of any report by clicking on the Duplicate Custom Reports button that appears to the left of the Run button. Duplicating a report enables you to safely make modifications to a report without losing the original report and its settings.

2. Modify the report details (i.e., name, description, etc.), filters, and parameters.

LogLogic enables you to customize everything pertaining to the summarization and presentation of the reports. You can modify the device(s) on which the report runs, schedule when the report runs, and in the Advanced Options area you can set specific report search filters.

Example 6 shows the report filters available under Advanced Options as well as the report details under Update Saved Custom Report.



Figure 6 Example 6 – Advanced Options and Update Saved Custom Report Views

Note: LogLogic recommends that you test your modifications to ensure that the report meets your business needs.

3. To test the report, click Run.

The report runs and returns data based on the set parameters. Verify that the returned data is what you want. Continue modifying and testing the report as needed.

4. Save the report by completing the following steps:

a. Click Update Saved Custom Report.

Make any necessary modifications to the report details (i.e., Report Name, Report Description, etc.).

b. Click Update Report.

A report saved message appears.

c. Click OK.

Your report is now modified. Consider testing the output of the report again to ensure you are returning all of the data you need from this report.

For more information on how to use and modify custom reports, see to the LogLogic Online Help and LogLogic Users Guide.



Working with Compliance Suite Alerts

The LogLogic Compliance Suite: ISO/IEC 27002 Edition alerts enable you to manage activities helping you to maintain ISO/IEC 27002 compliance. Activities can include detecting unusual traffic on your network or detecting Appliance system anomalies. By default, the Compliance Suite alerts are disabled so that you can configure your environment with only those alerts that are necessary. For a description of all alerts in this Compliance Suite, see LogLogic Alerts for ISO/IEC 27002 on page 50.

Accessing Available Compliance Suite Alerts

The Compliance Suite package contains a number of alerts that can be easily enabled and modified for your business needs.

To view and access Compliance Suite alerts:

1. From the navigation menu, click Alerts.

The Alerts Information page appears. This page provides an overview of your log sources (i.e., devices) and associated alerts. A checkmark identifies that an alert exists for a specific alert type and device.

2. Under Alerts, click Manage Alerts.

The Alerts page appears.

Example 3 shows a cropped list of the Compliance Suite alerts loaded from the ISO XML file.

Figure 7 Example 7– Compliance Suite Alerts

3. To view details of a specific alert, click the Name of the alert.

The General tab is selected by default, but each tab on the page contains information required to enable an alert.

4. Click on each of the tabs to view the default entries.

Note: Make sure that you identify the default entries and areas that might need to be modified.

The following section describes how to enable a Compliance Suite alert.

Enabling Compliance Suite Alerts

This section describes how to enable Compliance Suite alerts. By default, these alerts have pre-configured information to help you get started. In some instances, you can simply enable the alert, since the default settings are aimed at capturing a broad range of alerts.

To enable alerts, you must set at least the device(s) to monitor, the SNMP trap receivers, as well as who receives an alert notification and how they receive it.



To enable Compliance Suite alerts:

1. From the navigation menu, select Alerts > Manage Alerts.

2. Click the Name of the alert.

3. On the General tab, for Enable select the Yes radio button.

Example 8 shows the General tab for the ISO: Logins Failed alert.

Figure 8 Example 8 – Auth: Logins Failed Alert Filters

4. Select the device(s) to be alerted on by completing the following steps:

You can define alerts for all devices, a selection of devices, or a single device.

a. Select the Devices tab.

b. In the Available Devices text block, select the appropriate log sources (i.e., devices) you want to monitor and be alerted on when an alert rule is triggered.

Note: If the Show Only Device Groups setting is enabled on the Appliance, then the Available Devices text block lists only device groups. To enable or disable this feature, go to Administration > System Settings > General tab, scroll down to the System Performance Settings section and modify the Optimize Device Selection List option.

c. Click Add All or Add Selected Device(s).

Example 9 shows the Devices tab for the selected alert.



Figure 9 Example 9 – Available and Selected Devices

5. The Appliance has the ability to generate an SNMP trap that is sent to an SNMP trap receiver when an alert rule is triggered. Select the alert receivers available to your device(s) by completing the following steps:

a. Select the Alert Receivers tab.

b. In the Available Alert Receivers text block, select the appropriate alert receivers available for your device(s).

c. Click Add All or Add Selected Receiver(s).

6. Select the email recipients to be alerted with a notification email when an alert rule is triggered by completing the following steps:

a. Select the Email Recipients tab.

b. In the Available Users text block, select the appropriate email recipients.

The Available Users text block lists all of the user accounts on the Appliance.

c. Click Add All or Add Selected User(s).

7. Click Update.

The following section describes how to view a Compliance Suite alert.

Viewing Compliance Suite Alert Results

After you have enabled at least one alert, and that alert is triggered, you can view the results.

To view alerts results:

1. In the navigation menu, select Alerts > Alert Viewer.

The Aggregated Alert Log page appears.

Example 10 shows a cropped version of the Aggregated Alert Log page.



Figure 10 Example 10 – Aggregated Alert Log

2. From the Show drop-down menus, select the desired alert and priority filters to show only those alerts you want to display. The defaults are New Alerts and All Priorities.

3. (Management Station Appliances Only) From the From Appliance drop-down menu, select the Appliance from which you want to view the alerts.

4. View the results of your query. You can navigate through all of the data by using the page navigation buttons or page text field.

5. You can either acknowledge or remove an alert. Click the checkbox next to the alert name, then click either Acknowledge, Remove, or Remove All.

Note: Each alert was triggered based on your set alert parameters, so care must be taken when acknowledging or removing the alert.

For more information on how to use and modify alerts, see to the LogLogic Online Help and LogLogic Users Guide.


loglogic iso/iec 27002 compliance suite guidebook€¦ · · 2012-12-10loglogic, inc. proprietary...

Documents