APP254: Information Leakage
Does the application mask/obfuscate Confidential PII and above data in the log files (if captured), and does it refrain from logging cryptographic key values and authentication data (e.g., passwords, PINs)?
Guidance: Confidential PII and above data (including keys and passwords) must not be contained in plaintext in log files.
Management must define processes to respond to a Security Event in accordance with the SIRT process. This includes but is not limited to alerts generated from IDS/IPS/Network Behavior Anomaly Detection (NBAD). (Therefore, alerting/monitoring applies to all applications/products, not limited to IDS/IPS/NBAD).
Information Systems with a Very Low or Low IS Risk Level are exempt from the log review requirement.