FIDP-05

Are audit logs available for all changes to the network, firewall, IDS, and IPS systems?

Explanation

This question is asking whether your organization maintains detailed logs of any changes made to your network infrastructure and security systems (specifically firewalls, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems (IPS)). In security terms, audit logs are chronological records that document who made what changes, when they were made, and often from where. These logs are crucial for several reasons: 1. Accountability: They establish who made specific changes to critical systems. 2. Forensic investigation: If a security incident occurs, logs help determine if unauthorized changes contributed to the vulnerability. 3. Compliance: Many regulatory frameworks require maintaining change logs for critical infrastructure. 4. Troubleshooting: When systems malfunction, logs help identify recent changes that might have caused issues. The question is being asked because network infrastructure and security systems are critical components that protect an organization's data and systems. Unauthorized or undocumented changes to these systems could introduce vulnerabilities or indicate malicious activity. Without proper logging, it would be difficult to detect such changes or investigate security incidents. To best answer this question: - Be specific about what types of changes are logged (configuration changes, rule updates, policy modifications, etc.) - Mention the retention period for these logs - Describe how the logs are protected from tampering - Explain who has access to view or manage these logs - Note any automated alerting for critical changes

Example Responses

Example Response 1

Yes, our organization maintains comprehensive audit logs for all changes to network infrastructure, firewalls, IDS, and IPS systems All configuration changes, rule modifications, policy updates, and administrative actions are automatically logged with timestamps, user identification, source IP address, and the specific changes made These logs are stored in a centralized SIEM (Security Information and Event Management) system for a minimum of 12 months, with critical logs retained for 3 years to meet compliance requirements The logs are write-protected and access to them is strictly limited to authorized security personnel Additionally, we've implemented automated alerts for critical changes that require approval through our change management process, and all logs undergo weekly review as part of our security operations procedures.

Example Response 2

Yes, we maintain detailed audit logs across our network and security infrastructure Our Palo Alto firewalls, Cisco network equipment, and Suricata IDS/IPS are all configured to send logs to our Splunk platform Every configuration change is logged with the administrator's identity, timestamp, action performed, and previous/new values We enforce role-based access control for administrative functions, and all privileged access requires multi-factor authentication Our log retention policy mandates keeping these audit logs for 24 months, and they are backed up daily to an immutable storage solution to prevent tampering We've also implemented automated comparison of current configurations against approved baselines, with alerts generated for any unauthorized deviations.

Example Response 3

No, we currently have partial audit logging capabilities for our network infrastructure While our primary firewall (Fortinet) maintains logs of configuration changes, our legacy network switches and routers do not consistently generate audit logs for all administrative actions Additionally, our recently deployed IDS solution logs detection events but does not comprehensively track changes to its configuration We recognize this as a gap in our security controls and have initiated a project to implement centralized logging across all network and security devices, with expected completion in the next quarter In the interim, we're mitigating risk through strict change management procedures that require documented approval before any modifications to these systems.

Context

Tab
Infrastructure
Category
Firewalls, IDS, IPS, and Networking

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron