§164.308(a)(1)(ii)(D): Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
Audit Inquiry
Does the entity have policies and procedures in place regarding the regular review of information system activity?
Does the entity regularly review records of information system activity?
Obtain and review policies and procedures related to reviewing records of information system activities. Evaluate and determine if reasonable and appropriate processes are in place to review records of information system activities, such as audit logs, access reports, and security incident tracking reports.
Elements to review may include but are not limited to:
• How often a review is performed
• How reviews are documented
• Workforce members’ roles and responsibilities in the regular records of the information systems activities
• Types of activities which may require further investigation
Obtain and review documentation demonstrating the records of information system activities that were reviewed such as audit logs, access reports, and security incident tracking reports. Evaluate and determine if information system records were reviewed in a timely manner and that the review was conducted and certified by appropriate personnel.
Obtain and review documentation demonstrating the capabilities of the information system activity logs. Evaluate and determine whether key information systems have the capabilities to generate activity records; and, if so, are the capabilities turned on and records generated.
Required/Addressable
Required