CAF – C1.b Securing Logs

Secure Storage and Management of Logs

• Log data should be stored and managed securely to ensure it cannot be accessed, altered or deleted except by authorised personnel.
• The organisation’s Event Logging and Monitoring Policy should define how logs are protected, retained and monitored.

Access Controls and Auditability

• Access to logs should be restricted using role-based controls within monitoring and security tools such as Entra, SIEM/Sentinel and RMM platforms.

• All actions involving log data — including viewing, exporting or deleting — should be recorded and traceable to a unique user or system.

Log Integrity and Tamper Protection

• Master log files should be kept tamper-resistant.

• Analysis should be performed only on copies so that original logs remain unchanged.

• Log integrity protections, such as immutable storage or platform safeguards, should be applied where available.

Retention and Secure Deletion

• Log data should be retained for a defined period and securely deleted in line with the organisation’s retention schedule.

• Privileged and sensitive system activity should always be logged to support investigations.

Ongoing Review of Log Security

• Log access permissions and the security of logging tools should be reviewed periodically to ensure the logging environment remains secure and effective.