CIS Audit Log Management Policy Template

Log collection and analysis provides enterprises the ability to detect malicious activity. Audit records are sometimes the only evidence of a successful attack. Attackers know that many enterprises keep audit logs for compliance purposes, but rarely analyze them. Attackers use this knowledge to hide their location, malicious software, and activities on victim machines. Due to poor or nonexistent log analysis processes, attackers sometimes control victim machines for months or years without anyone in the target enterprise knowing.

Policy Template Purpose

The CIS Critical Security Controls® (CIS Controls®) recommend several information security policies that an enterprise should have in place as key components of its cybersecurity program. This includes an audit log management policy in conjunction with CIS Control 8 – Audit Log Management. This Audit Log Management Policy is meant as a foundational guide for organizations needing to draft their own policies to govern a log management strategy. Enterprises are encouraged to use this policy template in whole or in part. With that said, there are multiple decision points and areas that must be tailored to your enterprise. In CIS Controls v8.1, Control 8 states:
CIS Control 8 – Audit Log Management: Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.
This policy template is meant to supplement the CIS Controls v8.1. The policy statements included within this document can be used by all CIS Implementation Groups (IGs) but are specifically geared towards Safeguards in Implementation Group 1 (IG1).