APP254: Information Leakage

Does the application mask/obfuscate Confidential PII and above data in the log files (if captured), and does it refrain from logging cryptographic key values and authentication data (e.g., passwords, PINs)?

Guidance: Confidential PII and above data (including keys and passwords) must not be contained in plaintext in log files.

Management must define processes to respond to a Security Event in accordance with the SIRT process. This includes but is not limited to alerts generated from IDS/IPS/Network Behavior Anomaly Detection (NBAD). (Therefore, alerting/monitoring applies to all applications/products, not limited to IDS/IPS/NBAD).

Information Systems with a Very Low or Low IS Risk Level are exempt from the log review requirement.

  • JE

    The application masks passwords in the event log as shown here:

    In the log:

    • The administrator created a user and as shown the password is masked;
    • The user changed its own password and as shown the password is not included;
    • The administrator moved the user from Commercial Banking to Consumer Banking. Only the required information is shown in the log.

    Additional References: Log Viewer

Please Sign In to submit new tickets or to reply to existing ones.

Ticket ID



January 21, 2021 05:56 PM