SM-02 Incident & Security Monitoring

Access & Privileged Activity Logging

Security events are captured centrally and protected.

Domain: Incident & Security Monitoring
Control type: Detective
Automated / manual: Automated
Frequency: Continuous
Framework reference: MAS TRM – Logging

What good looks like

Auth and privileged activity logged to SIEM, tamper-protected, retained per policy.

Risk if it fails

Inability to detect/investigate incidents.

How Tess tests it

4 tests — each concludes only on cited evidence.

Logging architecture/standard defined

Design

Procedure: Inspect the standard.
Expected: Sources and retention defined.
Sample: 1 (design inspection)
Evidence: SIEM config, log-source inventory, retention policy.

In-scope sources feed the SIEM

Operating

Procedure: Reconcile sources to SIEM.
Expected: Complete coverage.
Sample: 25 (or full config inspection)
Evidence: SIEM config, log-source inventory, retention policy.

Retention meets policy/regulation

Operating

Procedure: Inspect retention config.
Expected: Retained ≥ required period.
Sample: 25 (or full config inspection)
Evidence: SIEM config, log-source inventory, retention policy.

Logs tamper-protected

Operating

Procedure: Inspect protection controls.
Expected: Immutable/access-restricted.
Sample: 25 (or full config inspection)
Evidence: SIEM config, log-source inventory, retention policy.

Evidence Tess looks for

SIEM config, log-source inventory, retention policy.

More in Incident & Security Monitoring

SM-01 Logging Standard & Retention SM-03 Time Synchronisation (NTP) SM-04 Security Alerting & Anomaly Monitoring SM-05 Endpoint Protection (EDR)

Want Tess to test SM-02 against your evidence?