Risk R-011 - Loss or Manipulation of Security Logs
| Field | Value |
|---|---|
| Risk ID | R-011 |
| Asset | Logging / SIEM Platform (Platform – Owner: Sec) |
| Scenario | S-010 - Tampering with logging infrastructure |
| Likelihood | 🟧 Medium - attackers may attempt to delete or modify logs to cover traces |
| Impact | 🟥 High - inability to detect attacks, loss of forensic evidence, impact on operational continuity |
| Risk Level | 🟥 High |
| Owner | Sec |
| Last Review | 2026-03-08 |
| Next Review | 2026-09-08 |
Associated Controls:
- Centralized, tamper-resistant log storage (SIEM with write-once storage or immutable logs).
- Regular log backup and integrity verification.
- Alerting on unusual log deletion or modification events.
- Restricted administrative access to logging systems; enforce MFA.
- Continuous monitoring and correlation of critical events.
References:
- ISO 27001 - Control 5.1 Policies for information security.
- ISO 27001 - Control 8.3 Information access restriction.
- ISO 27001 - Control 8.16 Monitoring activities.
- NIST CSF - DE.CM Continuous Monitoring.
- NIST CSF - PR.IP Information Protection Processes and Procedures.
- NIST CSF - PR.PT Protective Technology.
- EBIOS RM - Analysis of risks related to tampering, loss, or unavailability of security logs.
Response Actions:
- Containment - Quarantine affected logging nodes, block unauthorized access.
- Investigation - Perform forensic analysis to determine the scope of log loss or tampering.
- Recovery - Restore logs from immutable backups, validate integrity.
- Post-incident - Review logging policies, update SIEM detection rules, and refine incident response playbook.