Rule: At Least One Trail Should Be Enabled with Security Best Practices
This rule ensures enabling at least one trail with security best practices.
| Rule | At least one trail should be enabled with security best practices |
| Framework | NIST 800-171 Revision 2 |
| Severity | ✔ High |
Rule Description:
According to the security best practices for NIST 800-171 Revision 2, it is essential to have at least one trail enabled to monitor and record events within the system. This ensures that any suspicious or unauthorized activities can be detected, investigated, and remediated in a timely manner, enhancing the overall security posture of the organization.
Troubleshooting Steps:
Troubleshooting steps are not applicable for this policy. However, if you encounter any issues while enabling the trail, ensure that you have the necessary permissions, and validate the configuration settings.
Necessary Codes:
There are no specific codes required for this policy. However, you may need to utilize code or execute commands specific to the cloud service provider or the system you are using to enable the trail.
Step-by-Step Guide for Remediation:
- 1.
Identify the Cloud Service Provider (CSP) or system being used:
- AWS (Amazon Web Services)
- Azure (Microsoft Azure)
- GCP (Google Cloud Platform)
- On-premises system, such as Windows Server or Linux-based environment
- 2.
Review the CSP or System Documentation:
- Familiarize yourself with the available security and auditing features.
- Understand the logging capabilities and how to enable them for compliance with NIST 800-171.
- 3.
Choose the appropriate trail for monitoring and record-keeping:
- Determine the type of trail necessary to meet the compliance requirements.
- For example, AWS provides CloudTrail for auditing AWS API calls, while Azure offers Azure Monitor for collecting and analyzing logs.
- 4.
Enable the Trail:
- Follow the specific instructions provided by your cloud service provider or system documentation to enable the trail.
- Configure the trail to capture relevant events and logs required for compliance with NIST 800-171.
- 5.
Validate the Trail Configuration:
- Test the trail to ensure it is properly capturing the required events.
- Verify that the logs generated by the trail contain the necessary information for auditing purposes.
- Review any additional settings required for compliance, such as log retention period or encryption.
- 6.
Regularly Monitor and Review Logs:
- Implement a process to regularly review the logs and alerts generated by the enabled trail.
- Identify any suspicious or unauthorized activities and promptly investigate them.
- Establish incident response procedures to address any identified security incidents.
- 7.
Periodically Review and Update Trail Configuration:
- Stay updated with the CSP or system documentation for any changes or enhancements related to auditing and compliance.
- Keep the trail configuration up to date based on the evolving security and compliance requirements.
By following these steps, you can ensure compliance with the NIST 800-171 Revision 2 security best practices and have at least one trail enabled for monitoring and recording events within your system.