Principle 17 - Perform Regular Security Audits

Detail

Service operations and management processes should provide regular internal audits of security controls in order to ensure their continued effective implementation and use.

Consumers of the service (including service operators and stakeholders ) should be provided with the audit records they need to monitor access to their service and the data held within it.

Security Audits should be aligned to Principle 6 - Accountability and refined using Principle 18 - Security Operations Policy.

Decision Evaluation Criteria:

• Does the service operation processes should include regularly scheduled security audits which are scoped to assure the continued effective implementation and use of the designed security controls ?
• Do all components of the service log error detail in such a manner than security audits can identify and isolate a compromise within the service ?

Basis

• GDS CSP 13 - Audit information provision to consumers
• OWASP 8 - Error handling and logging