Control 3.3.1

★What This Means in Plain English

Your systems must keep detailed logs of what happens on them. These logs must be retained long enough to support investigations if a security incident occurs. You need logs from servers, workstations, network devices, and applications.

✓How Petronella Implements This Control

Petronella Technology Group implements this control through:

• Arctic Wolf SIEM collecting and centralizing logs from all systems, applications, and network devices
• Windows Event Log forwarding configured via Group Policy to send security events to the SIEM
• FortiGate firewall logging all traffic events, VPN sessions, and security alerts
• Log retention policy maintaining audit records for a minimum of one year with 90 days immediately accessible
• Sophos XDR endpoint logging capturing process execution, file access, and network connections
• ComplianceArmor documenting the audit logging policy and retention requirements

🔎Assessment Guidance

Assessors will verify that audit logging is enabled on all systems, review log retention periods and storage, test that critical events are captured, check that logs are protected from unauthorized modification, and confirm SIEM is receiving logs from all required sources.

⚠Common Implementation Gaps

• Audit logging disabled on some systems or applications
• Logs retained for insufficient duration
• No centralized log management or SIEM
• Critical events (logon failures, privilege changes) not logged
• Log storage filling up and overwriting older records

⇄Cross-Framework Mapping