Un modelo sencillo del gasto en pensiones

Objective: To record events and generate evidence.

12.4.1 Event logging

2783

Control 2784

Event logs recording user activities, exceptions, faults and information security events should 2785

[ENH20]be produced, kept and regularly reviewed.

2786

Implementation guidance 2787

Event logs should include, when relevant: 2788

a) user IDs; 2789

b) system activities; 2790

c) dates, times and details of key events, e.g. log-on and log-off; 2791 This document is a WORKING DRAFT of an ISA99 committee work product. It may not be accurate of complete and is subject to change without notice. It is provided SOLELY for the purpose of review in support of further development of committee work products. This document may not be copied, distributed to others, or offered for further reproduction or for sale.

d) device identity or location if possible and system identifier; 2792

e) records of successful and rejected system access attempts; 2793

f) records of successful and rejected data and other resource access attempts; 2794

g) changes to system configuration; 2795

h) use of privileges; 2796

i) use of system utilities and applications; 2797

j) files accessed and the kind of access; 2798

k) network addresses and protocols; 2799

l) alarms raised by the access control system; 2800

m) activation and de-activation of protection systems, such as anti-virus systems and intrusion 2801

detection systems; 2802

n) records of transactions executed by users in applications. 2803

Event logging sets the foundation for automated monitoring systems which are capable of generating 2804

consolidated reports and alerts on system security. 2805

The organization should develop a baseline of normal IACS user behavior with allowable 2806

variances. The organization should also employ automated mechanisms to facilitate the review of 2807

user activities. 2808

Care must be exercised to ensure that the system load associated with logging does not interfere 2809

with the operational performance of the control system. Selective use of logging may be necessary 2810

on older control system devices to balance the benefits of event tracking with the necessity of 2811

reliable system performance. 2812

Other information 2813

Event logs can contain sensitive data and personally identifiable information. Appropriate privacy 2814

protection measures should be taken (see 18.1.4). 2815

The acquisition, processing and management of audit protocols and data should be implemented 2816

in accordance with all applicable business, statutory, regulatory and internal requirements 2817

Where possible, system administrators should not have permission to erase or de-activate logs of their 2818

own activities (see 12.4.3). 2819

12.4.2 Protection of log information

2820

Control 2821

Logging facilities and log information should be protected against tampering and 2822

unauthorized access. Implementation guidance 2823

Controls should aim to protect against unauthorized changes to log information and operational 2824

problems with the logging facility including: 2825

a) alterations to the message types that are recorded; 2826

b) log files being edited or deleted; 2827

c) storage capacity of the log file media being exceeded, resulting in either the failure to record 2828

events or over-writing of past recorded events. 2829

Some audit logs may be required to be archived as part of the record retention policy or because 2830

of requirements to collect and retain evidence (see 16.1.7). 2831 This document is a WORKING DRAFT of an ISA99 committee work product. It may not be accurate of complete and is subject to change without notice. It is provided SOLELY for the purpose of review in support of further development of committee work products. This document may not be copied, distributed to others, or offered for further reproduction or for sale.

Other information 2832

System logs often contain a large volume of information, much of which is extraneous to 2833

information security monitoring. To help identify significant events for information security 2834

monitoring purposes, the copying of appropriate message types automatically to a second log, or 2835

the use of suitable system utilities or audit tools to perform file interrogation and rationalization 2836

should be considered. 2837

System logs need to be protected, because if the data can be modified or data in them deleted, their 2838

existence may create a false sense of security. Real-time copying of logs to a system outside 2839

the control of a system administrator or operator can be used to safeguard logs. 2840

12.4.3 Administrator and operator logs

2841

Control 2842

System administrator and system operator activities should be logged and the logs protected and 2843

regularly reviewed. 2844

Implementation guidance 2845

Privileged user account holders may be able to manipulate the logs on information processing facilities 2846

under their direct control, therefore it is necessary to protect and review the logs to maintain 2847

accountability for the privileged users. 2848

Other information 2849

An intrusion detection system managed outside of the control of system and network administrators 2850

can be used to monitor system and network administration activities for compliance. 2851

12.4.4 Clock synchronization

2852

Control 2853

The clocks of all relevant information processing systems within an organization or security domain 2854

should be synchronized to a single reference time source. 2855

Implementation guidance 2856

External and internal requirements for time representation, synchronization and accuracy should be 2857

documented. Such requirements can be legal, regulatory, contractual requirements, standards 2858

compliance or requirements for internal monitoring. A standard reference time for use within the 2859

organization should be defined. 2860

The organization's approach to obtaining a reference time from external source(s) and how to 2861

synchronize internal clocks reliably should be documented and implemented. 2862

Other information 2863

The correct setting of computer clocks is important to ensure the accuracy of audit logs, which may be 2864

required for investigations or as evidence in legal or disciplinary cases. Inaccurate audit logs may 2865

hinder such investigations and damage the credibility of such evidence. A clock linked to a radio time 2866

broadcast from a national atomic clock can be used as the master clock for logging systems. A 2867

network time protocol can be used to keep all of the servers in synchronization with the master clock. 2868

Depending upon the criticality of the process control system in question, the use of dedicated, non- 2869

internet synchronized NTP servers or of digitally signed NTP time messages should be considered 2870

in order to lower the risks associated with accessing external system devices. 2871 This document is a WORKING DRAFT of an ISA99 committee work product. It may not be accurate of complete and is subject to change without notice. It is provided SOLELY for the purpose of review in support of further development of committee work products. This document may not be copied, distributed to others, or offered for further reproduction or for sale.

12.5 Control of operational software