Logging requirements are established and maintained for IT and OT assets that are important to the delivery of the function and assets within the function that may be leveraged to achieve a threat objective
Context and Guidance: Define logging requirements for all important IT and OT assets. For example, capturing failed login attempts can point to confidentiality issues, unauthorised changes can indicate integrity issues, and log entries on system down time can reveal availability issues. Requirements for logging may differ for different assets, such as operations technology, field devices, mobile devices, and assets that reside in the cloud. For virtual networks, additional tools or processes may be necessary to enable logging of virtual network traffic. Logs from the cloud, including both cloud infrastructure and cloud assets, should be defined by the organisation in the logging requirements as applicable. In addition to the types of events to be logged, organisations should consider what logging requirements may be appropriate such as how logs are to be protected, chain of custody considerations, or retention timelines. Example events that may be logged:
Related Practices • Input From: Implementing ASSET-1a and ASSET-1b provides input that may be useful for implementing this practice. • Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: SITUATION-1a, SITUATION-1b, SITUATION-1c, SITUATION-1d, SITUATION-1f.