CRISP Security Shield Logo

Compliance Risk &

Information Security Partners

Introducing the new small business third-party risk management company

11-K: Logging & Monitoring

This section evaluates how your organization records, monitors, and reviews activity on critical systems, applications, and networks.

The questions focus on whether you generate and retain appropriate logs, protect log integrity, and use monitoring tools and alerting to detect suspicious behavior, policy violations, or potential incidents. They also address how often logs are reviewed, who is responsible, and how identified issues are escalated and investigated.

Overall, this section confirms that you have effective visibility into your environment and can detect and respond to abnormal or unauthorized activity in a timely manner.

Explanation: Logging ensures that activities on platforms processing customer data are monitored to detect unauthorized actions or suspicious behavior.

Risks of Incorrect Answer: Lack of logging increases the difficulty of detecting and investigating security incidents.

Potential non-compliance with standards requiring activity monitoring.

Applicable Frameworks: ISO 27001 (A.12.4.1): Requires event logging to monitor user activities.

NIST CSF (DE.CM-3): Focuses on monitoring system activity to detect events.

HIPAA (164.312(b)): Requires audit controls to record and examine activity

Explanation: Specific event types like failed logins or administrative actions indicate potential security threats and support compliance efforts.

Risks of Incorrect Answer: Failure to log key events may result in missed detection of breaches or misuse.

Regulatory requirements for event logging may be unmet.

Applicable Frameworks: ISO 27001 (A.12.4.1): Recommends logging security-relevant events.

NIST CSF (DE.CM-3): Stresses monitoring critical event types.

PCI DSS (10.2): Specifies logging of user and system activities''

Explanation: Regular review of logs ensures that suspicious activities are identified and acted upon promptly.

Risks of Incorrect Answer: Unreviewed logs increase the time it takes to detect and respond to incidents.

Failure to comply with regulations requiring periodic log reviews.

Applicable Frameworks: ISO 27001 (A.12.4.3): Recommends regular log review and analysis.

NIST CSF (DE.CM-1): Ensures continuous monitoring for anomalies.

HIPAA (164.308(a)(1)(ii)(D)): Mandates regular information system activity reviews''

Explanation: A centralized logging system simplifies log management, enabling faster analysis and better correlation of events across systems.

Risks of Incorrect Answer: Disparate log sources may complicate incident investigation and monitoring.

Limited ability to correlate activities across systems increases response time.

Applicable Frameworks: ISO 27001 (A.12.4.1): Encourages centralized management of logs.

NIST CSF (DE.CM-6): Supports centralized monitoring to detect anomalies"

Explanation: A log retention policy ensures compliance with legal and regulatory requirements and supports investigations when needed.

Risks of Incorrect Answer: Insufficient retention periods may lead to loss of valuable forensic data.

Non-compliance with regulations mandating specific retention periods.

Applicable Frameworks: ISO 27001 (A.12.4.1): Stipulates retention of logs for compliance and investigation.

NIST CSF (PR.PT-1): Recommends data management policies, including retention.

PCI DSS (10.7): Requires logs to be retained for at least a year.

NEXT
CRISP Secrity Logo

​Compliance Risk &

Information Security
Partners

CRISP

Empowering small businesses
with BIG Solutions

Some or all of the services described in this engagement may not be available to certain clients, including those who have affiliations or relationships with audit firms or related entities.

The information provided herein is of a general nature and is not intended to address the specific circumstances of any individual or entity. While we strive to offer accurate and up-to-date information, we cannot guarantee its accuracy at the time it is received or in the future. No action should be taken based solely on this information without seeking appropriate professional advice tailored to your particular situation. CRISP does not provide legal or tax advice.

This information is not intended to constitute “written advice concerning one or more Federal tax matters” as defined by section 10.37(a)(2) of Treasury Department Circular 230.

Contact Us

Let’s discuss your unique security needs and address any other questions you may have. Contact us today for a free consultation and take the next step towards strengthening your company’s defenses.

LEGAL POLICIES

Privacy Policy

Terms & Conditions

Disclaimer

Cookie Policy

DSAR

Refunds/Returns

Shipping Policy

EULA

Message

© 2025 Compliance Risk & Information Security Partners (CRISP). All rights reserved.