Page 1239 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1239
Logging, Monitoring, and Auditing
Logging, monitoring, and auditing procedures help an organization
prevent incidents and provide an effective response when they occur.
The following sections cover logging and monitoring, as well as
various auditing methods used to assess the effectiveness of access
controls.
Logging and Monitoring
Logging records events into various logs, and monitoring reviews
these events. Combined, logging and monitoring allow an organization
to track, record, and review activity, providing overall accountability.
This helps an organization detect undesirable events that can
negatively affect confidentiality, integrity, or availability of systems. It
is also useful in reconstructing activity after an event has occurred to
identify what happened and sometimes to prosecute those responsible
for the activity.
Logging Techniques
Logging is the process of recording information about events to a log
file or database. Logging captures events, changes, messages, and
other data that describe activities that occurred on a system. Logs will
commonly record details such as what happened, when it happened,
where it happened, who did it, and sometimes how it happened. When
you need to find information about an incident that occurred in the
recent past, logs are a good place to start.
For example, Figure 17.5 shows Event Viewer on a Microsoft system
with a log entry selected and expanded. This log entry shows that a
user named Darril Gibson accessed a file named PayrollData
(Confidential).xlsx located in a folder named C:\Payroll. It shows
that the user accessed the file at 4:05 p.m. on November 10.
