Only a small set of privileged users can manage audit functions.
What it actually means
The people who could turn logging off or change what's captured should be a small, specific group — separate where possible from the general admins whose actions are being logged. It keeps the audit trail honest.
Pass or fail — an assessor needs a "yes" to each
- Management of audit/logging functions is restricted to a named subset of privileged users.
- That group is documented.
What to have ready
- Role assignments for audit/log management
- Policy naming who may manage logging
Where teams trip up
- Every admin can manage (or disable) logging
- No separation between log managers and the logged
See where this control puts your score
Run all 110 requirements free in about 10 minutes.
Calculate your SPRS score →