IG3

Log Sensitive Data Access

Control Group: 3. Data Protection

Asset Type: Data

Security Function: Detect

Description

Log sensitive data access, including modification and disposal.

Implementation Checklist

1

Deploy detection tools or enable detection capabilities

2

Configure alerting thresholds and notification channels

3

Establish monitoring schedule and review process

4

Test detection capabilities with simulated events

5

Document detection procedures and escalation paths

6

Enable logging on all in-scope systems

7

Configure log forwarding to centralized SIEM

8

Define log retention periods per policy

9

Establish log review schedule and procedures

Tool Recommendations

Splunk Enterprise Security Gartner MQ Leader, SIEM 2024

SIEM platform with log management, threat detection, investigation, and compliance reporting across enterprise data sources

Cisco (Splunk) · Ingest-based or workload-based

Microsoft Sentinel Gartner MQ Leader, SIEM 2024

Cloud-native SIEM and SOAR with AI-driven analytics, automated threat response, and native Azure/M365 integration

Microsoft · Pay-as-you-go (per GB ingested)

Microsoft Purview Forrester Wave Leader, Data Security Platforms 2023

Data governance and compliance platform with DLP, information protection, sensitivity labels, and insider risk management

Microsoft · Per-user subscription (E5/standalone)

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Undetected Unauthorized Data Access

Confidentiality

Without logging of sensitive data access, attackers or insiders read, copy, or modify sensitive records without creating any audit trail, making breaches undetectable.

Tampering with Sensitive Records Without Accountability

Integrity

Unauthorized modification or deletion of sensitive data goes unnoticed and uninvestigated because no logs capture who accessed or changed the data and when.

Vulnerabilities (When Safeguard Absent)

No Audit Trail for Sensitive Data Access

Without logging sensitive data access events, the organization cannot detect unauthorized access, investigate breaches, or demonstrate compliance with data protection regulations.

No Monitoring of Data Modification and Disposal

Without logging data modification and disposal events, the organization cannot verify data integrity, detect tampering, or confirm that disposal occurred as required.

Evidence Requirements

Type	Evidence Item	Collection Frequency
Technical	Detection tool deployment evidence (dashboard screenshots, agent status)	Captured monthly
Technical	Sample alert/detection output demonstrating capability	Captured quarterly
Technical	SIEM dashboard showing log sources and collection status	Captured monthly
Record	Log review records and findings	Per review cycle
Document	Governing policy document (current, approved, communicated)	Reviewed annually

Related Policy Templates

Data Loss Prevention Policy

Control 3

Related Safeguards in Control 3

3.1 Establish and Maintain a Data Management Process

3.2 Establish and Maintain a Data Inventory

3.3 Configure Data Access Control Lists

3.4 Enforce Data Retention

3.5 Securely Dispose of Data

3.6 Encrypt Data on End>User Devices

3.7 Establish and Maintain a Data Classification Scheme

3.8 Document Data Flows

3.9 Encrypt Data on Removable Media

3.10 Encrypt Sensitive Data in Transit

3.11 Encrypt Sensitive Data at Rest

3.12 Segment Data Processing and Storage Based on Sensitivity

3.13 Deploy a Data Loss Prevention Solution