CCC.C09: Prevent Tampering, Deletion, or Unauthorized Access to Access Logs
Objective:Access logs should always be considered sensitive.
Ensure that access logs are protected against unauthorized
access, tampering, or deletion.
Control Family:
Data
Threats:
| ID | Title | Description |
|---|---|---|
| CCC.TH07 | Logs are Tampered With or Deleted | Attackers may tamper with or delete logs to cover their tracks and evade detection. This prevents security teams from identifying the full scope of an attack and may disrupt forensic investigations. |
| CCC.TH09 | Logs or Monitoring Data are Read by Unauthorized Users | Unauthorized access to logs or monitoring data can provide attackers with valuable information about the system's configuration, operations, and security mechanisms. This can be used to identify vulnerabilities, plan attacks, or evade detection. |
| CCC.TH04 | Data is Replicated to Untrusted or External Locations | An attacker could replicate data to untrusted or external locations if replication configurations are not properly restricted. This could result in data leakage or exposure to unauthorized entities outside the organization's trusted perimeter. |
NIST CSF:
PR.DS-6
Control Mappings
CCM:
ISO_27001:
NIST_800_53:
AU-9
Test Requirements
CCC.C09.TR01:When access logs are stored, the service MUST ensure that
access logs cannot be accessed without proper authorization.
TLP:
tlp_amber
tlp_red
tlp_green
tlp_clear
CCC.C09.TR02:When access logs are stored, the service MUST ensure that
access logs cannot be modified without proper authorization.
TLP:
tlp_amber
tlp_red
tlp_green
tlp_clear
CCC.C09.TR03:When access logs are stored, the service MUST ensure that
access logs cannot be deleted without proper authorization.
TLP:
tlp_amber
tlp_red
tlp_green
tlp_clear