201 CMR 17 Compliance Module:

Deployment Guide
09/18/2014

DPG-201_CMR_17-Compliance-Package-v004-20140918
 - 201 CMR 17 Compliance Module: Deployment Guide

© LogRhythm, Inc. All rights reserved

This document contains proprietary and confidential information of LogRhythm, Inc., which is protected by
copyright and possible non-disclosure agreements. The Software described in this Guide is furnished under the
End User License Agreement or the applicable Terms and Conditions (“Agreement”) which governs the use of
the Software. This Software may be used or copied only in accordance with the Agreement. No part of this
Guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including
photocopying and recording for any purpose other than what is permitted in the Agreement.

Disclaimer
The information contained in this document is subject to change without notice. LogRhythm, Inc. makes no
warranty of any kind with respect to this information. LogRhythm, Inc. specifically disclaims the implied
warranty of merchantability and fitness for a particular purpose. LogRhythm, Inc. shall not be liable for any
direct, indirect, incidental, consequential, or other damages alleged in connection with the furnishing or use of
this information.

Trademark
LogRhythm® is a trademark of LogRhythm, Inc.

LogRhythm Inc.
4780 Pearl East Circle
Boulder, CO 80301

(303) 413-8745

www.logrhythm.com

LogRhythm Customer Support

support@logrhythm.com

1.303.413.8745 SUPPORT@LOGRHYTHM.COM
 - 201 CMR 17 Compliance Module: Deployment Guide

Contents
201 CMR 17 Package Pre-Implementation .............................................................................................. 1
Pre-Implementation Checklist ............................................................................................................. 1
201 CMR 17 Package Implementation .................................................................................................... 1
Installation of the Compliance Module ................................................................................................. 1
Verification of the Installation ............................................................................................................. 1
Intelligent Indexing ........................................................................................................................... 1
Check Investigations ...................................................................................................................... 1
Check Lists.................................................................................................................................... 1
Check Reports ............................................................................................................................... 1
Check Reporting Package ................................................................................................................ 1
Configuration of the Compliance Module .............................................................................................. 2
Population of Lists .......................................................................................................................... 2
Activation and Configuration of Alarms ............................................................................................. 2
201 CMR 17 Package Post-Implementation ............................................................................................. 3
Compliance Module Noise Mitigation .................................................................................................... 3
List Updating ................................................................................................................................. 4
Filter Usage ................................................................................................................................... 4
Suppression Usage ......................................................................................................................... 5
Threshold Usage ............................................................................................................................ 6
201 CMR 17 Reporting Package Scheduling .......................................................................................... 7
201 CMR 17 Module Reporting Package ............................................................................................ 7
201 CMR 17 Package Usage ............................................................................................................... 8
201 CMR 17 Package Usage for Security Operations ........................................................................... 8
201 CMR 17 Package Usage for Security Management ........................................................................ 8
Appendix A: Pre-Implementation Checklist ............................................................................................. 9
Appendix B: 201 CMR 17 Module Elements ........................................................................................... 10
Appendix C: 201 CMR 17 Requirements Matrix ...................................................................................... 15
Appendix D: Data Management Settings............................................................................................... 17
Global Data Management Settings .................................................................................................... 17
Classification Based Data Management Settings.................................................................................. 18
Global Classification Settings (GCS) .................................................................................................. 18

1.303.413.8745 SUPPORT@LOGRHYTHM.COM
 - 201 CMR 17 Compliance Module: Deployment Guide

201 CMR 17 Package Pre-Implementation

The 201 CMR 17 Package Pre-Implementation section details the collection of infrastructure details needed to
configure the 201 CMR 17 Compliance Module.

Pre-Implementation Checklist
The Pre-Implementation Checklist (Appendix A: Pre-Implementation Checklist) is used to collect all necessary
infrastructure details used to configure the 201 CMR 17 Compliance Module. During this phase the following
items should be collected:

 Log Sources (see Table 2)

 Users (see Table 3)

201 CMR 17 Package Implementation

The 201 CMR 17 Package Implementation section details the installation, configuration, and verification of
objects used in the 201 CMR 17 Compliance Module. When this section is complete, the LogRhythm Event
Manager will have all the proper components needed for 201 CMR 17 compliance. The process involves the
following steps:

 Installation of the Compliance Module

 Verification of the Installation
 Configuration of the Compliance Module

Installation of the Compliance Module

The 201 CMR 17 Compliance Module is provided as part of the LogRhythm KB (Knowledge Base). Updating the
LogRhythm Knowledge Base automatically creates the proper Lists, AIE Rules, Investigations, Reports,
Reporting Packages, and Tails.

1. Follow the instructions listed in Help to import the latest Knowledge Base.
2. When you are asked to configure the new Knowledge Base Modules, enable the following:
 Compliance: 201 CMR 17

Verification of the Installation

After you install the Knowledge Base, the 201 CMR 17 Compliance Module should be ready to configure. This
section shows how you can verify that the 201 CMR 17 Compliance Module has been installed properly.

Intelligent Indexing
Intelligent Indexing allows Reports, Investigations, and Tails to keep the appropriate log data online in the Log
Manager. Care must be taken when choosing which object to allow Intelligent Indexing as broad criteria can
cause an exceptional amount of online data and overwhelm the Log Manager. Please see Appendix B for a list
of Intelligent Indexing-capable objects and their recommended setting.

Check Investigations
Verify forty-six Investigations (see Table 5) are contained in the Investigate tab of the LogRhythm Console.

Check Lists
Verify twelve Lists (see Table 7) are contained in the List Manager tab.

Check Reports
Verify eighty-seven Reports (see Table 6) are contained in the Reports tab of the Report Center tab.

Check Reporting Package

Verify seven Reporting Packages (see Table 8) are contained on the Report Packages tab of the Report Center.

1.303.413.8745 SUPPORT@LOGRHYTHM.COM PAGE 1

©
2014 LogRhythm Inc.
 - 201 CMR 17 Compliance Module: Deployment Guide

Configuration of the Compliance Module

LogRhythm requires that you configure some objects included in the 201 CMR 17 Compliance Module. This
section describes the steps you must perform.

 Population of Lists
 Importing of Layouts
 Activation and Configuration of Alarms
 Activation and Configuration of AIE Rules

Population of Lists
Each 201 CMR 17 Compliance List must be populated with data collected using the Pre-Implementation
Checklist. Complete the following sections to populate all required lists.

Populating Log Source Lists

Follow the instructions listed below to populate Log Source Lists.

1. Open the LogRhythm Console and click List Manager.

2. Right-click on the list name of a 201 CMR 17 Log Source List, and then click Properties.
3. Click the Add Item button to view the log sources selector.
4. Search and select all desired log sources, and then click OK.
5. Click OK to save the list.
6. Repeat this process (steps 1-5) for all 201 CMR 17 Log Source Lists (see Table 7).

Populating Users Lists

Follow the instructions listed below to populate Network Lists.

1. Open the LogRhythm Console and click List Manager.

2. Right-click on the list name for a 201 CMR 17 Users List, and then click Properties.
3. Select the Username for the Item Type.
4. Type the username in the Add Item field.
5. Click the Add Item button to add the username.
6. Repeat steps 4-5 to for all desired usernames.
7. Click OK to save the list.
8. Repeat this process (steps 1-7) for all 201 CMR 17 Users Lists (see Table 7).

Activation and Configuration of Alarms

All alarms included in the 201 CMR 17 Compliance Module are disabled by default. Follow the instructions
listed below to enable the alarms and configure their notifications.

1. Open the LogRhythm Console, click Deployment Manager, and then click Alarm Rules.
2. Select the check box for all of the 201 CMR 17 alarms that share notification personnel (Table 1),
right-click the Alarm Manager, click Actions, and then click Batch Notification Editor (Figure 1).

Table 1
Alarm Rules
201 CMR 17: Attack Alert
201 CMR 17: Compromise Alert
201 CMR 17: Denial Of Service Alert
201 CMR 17: Malware Alert
201 CMR 17: Vulnerability Alert
Notification Area
Security Operations
Security Operations
Security Operations
Security Operations
Security Operations

1.303.413.8745 SUPPORT@LOGRHYTHM.COM PAGE 2

©
2014 LogRhythm Inc.
 - 201 CMR 17 Compliance Module: Deployment Guide

Figure 1 Configuring Alarm Rules

3. Select the check box for all of the relevant notifies, then click OK to save the notifications.
4. Repeat Step 3 for all common notifies until all 201 CMR 17 alarms are configured for notifications (see
Table 4).
5. Select the check box for all of the 201 CMR 17 alarms.
6. Right-click on the Alarm Manager, click Actions, and then click Enable.

201 CMR 17 Package Post-Implementation

The LogRhythm 201 CMR 17 Compliance Module provides bundled pre-created alarms, AIE rules,
investigations, layouts, lists, reports, and reporting packages to help demonstrate regulation compliance. The
Auditor checks for specific line-item regulations to be met by LogRhythm. The 201 CMR 17 Package Post-
Implementation section details the post implementation processes necessary to meet specific 201 CMR 17
compliance requirements and augment others. The process involves the following steps:

 Noise Mitigation
 Scheduling
 Package Usage

Compliance Module Noise Mitigation

LogRhythm’s 201 CMR 17 Compliance Module bundled alarms, AIE rules, investigations, layouts, lists, reports,
and reporting packages need adjustments to ensure the likelihood of false positive events is diminished. The
process to decrease false positive involves the following steps:

 List Updating
 Filters
 Suppression
 Thresholds

1.303.413.8745 SUPPORT@LOGRHYTHM.COM PAGE 3

©
2014 LogRhythm Inc.
 - 201 CMR 17 Compliance Module: Deployment Guide

List Updating
Keeping Compliance Module lists updated is a vital part of decreasing false positives within the 201 CMR 17
Compliance Module. An organization’s applications, IP addresses, and users are dynamic for this reason the
Compliance Module utilizes lists which can be dynamically updated as needed. There are many conditions
which would require a list to be updated. The following section highlights a few instances where lists must be
updated and direction on how to update the lists. Refer to Table 9Table 9 for specific AIE Rules and
Investigations and Table 10Table 10 for specific Reports and Tails where the lists are utilized.

User List Updating

The user list should be updated when a user account is disabled or terminated. Changes to these types of
accounts would be evident by details in the access granted/revoked reports and account management reports.
Follow the instructions listed below after implementation and on a weekly basis to identify users which have
not been added to the user’s lists.

1. Open the LogRhythm Console and click the Report Center tab.
2. Click the Reports tab, right-click on the 201 CMR 17: Disabled/Locked Account Summary report,
and then click Run.
3. Click Next until you reach the Configuration screen, set the date range to Past Month, and then click
OK.
4. Click the name of the report in the Report Viewer.
5. Search for “Account Disabled” common events to identify when an account may have been enabled or
disabled.
6. Follow steps 1-7 in Populating Users Lists to add applicable, disabled accounts to the 201 CMR 17:
Disabled And Terminated Accounts list.

Filter Usage
Adjusting filter criteria is a vital part of decreasing the number of false positives within the 201 CMR 17
Compliance Module. Exclude filters can remove applications, common events, hosts, IP addresses, etc. from
search criteria. There are many conditions in which an exclude filter can decrease the number of false
positives in a search criteria; the following section highlights how to create exclude filters for AIE Rules,
investigations, reports, and tails.

Configuring Alarm Exclude Filter Criteria

All Alarms included in the 201 CMR 17 Compliance Module can be configured with exclude filters. Follow the
instructions listed below to configure exclude filters for Alarms.

1. Open the LogRhythm Console, click Deployment Manager, and then click Alarm Rules.
2. Right-click on a 201 CMR 17 alarm on which an exclude filter should be configured, then click
Properties.
3. Click the Exclude Filters tab.
4. Click the New icon on the top menu.
5. Specify the details for the desired exclude filter criteria.
6. Click OK on the Log Message Filter.
7. Click OK on the Alarm Rule.

Configuring Investigation Exclude Filter Criteria

All Investigations included in the 201 CMR 17 Compliance Module can be configured with exclude filters.
Follow the instructions listed below to configure exclude filters for Investigations.

1. Open the LogRhythm Console and click the Investigate tab.

2. Select one of the saved 201 CMR 17 Investigations on which an Exclude Filter should be configured.
3. Click Next until you reach the Specify Event Selection screen.
4. Specify the details for the desired exclude filter criteria from the Add New Field Filter drop down.

NOTE: To specify exclusions, select the Filter Out (Is Not) Filter Mode.

5. Click Next two times to reach the Save Investigation Configuration screen, then click Save.
6. Click Cancel.

1.303.413.8745 SUPPORT@LOGRHYTHM.COM PAGE 4

©
2014 LogRhythm Inc.
 - 201 CMR 17 Compliance Module: Deployment Guide

Configuring Report Exclude Filter Criteria

All Reports included in the 201 CMR 17 Compliance Module can be configured with exclude filters. Follow the
instructions listed below to configure exclude filters for Reports.

1. Open the LogRhythm Console and click the Report Center tab.
2. Click the Reports tab.
3. Right-click on the report which needs the exclude filter, then click Properties.
4. Click Next two times to reach the Specify Additional Report Criteria Screen.
5. Specify the details for the desired exclude filter criteria from the Add New Field Filter drop down.

NOTE: To specify exclusions, select the Filter Out (Is Not) Filter Mode.

6. Click Next to reach the Report Details screen, click Apply, and then click then OK.

Suppression Usage
Adjusting suppression values is a vital part of adjusting the alarming configuration within the 201 CMR 17
Compliance Module. Suppression values are used to suppress the number of alarms generated from the same
type of event occurring numerous times within a specified time window. The following section highlights how
to adjust suppression values for AIE rules.

Configuring Alarm Suppression

All Alarms included in the 201 CMR 17 Compliance Module can be configured with alarming suppression.
Follow the instructions listed below to configure suppression for Alarms.

1. Open the LogRhythm Console, click Deployment Manager, and then click Alarm Rules.
2. Right-click on a 201 CMR 17 alarm on which an Exclude Filter should be configured, then click
Properties.
3. Click the Settings tab.
4. Fill in the Suppression Period (see Figure 2).

Figure 2 Configuring Alarm Suppression

1.303.413.8745 SUPPORT@LOGRHYTHM.COM PAGE 5

©
2014 LogRhythm Inc.
 - 201 CMR 17 Compliance Module: Deployment Guide

NOTE: The Suppression Period is the amount of time in which an alarm will be suppressed after the
first occurrence. When the Suppression Period has elapsed, another alarm will occur if identical events
occur.

5. Click OK on the Alarm Rule.

Threshold Usage
Adjusting threshold values is a vital part of adjusting the alarming configuration within the 201 CMR 17
Compliance Module. Threshold values are used to specify the amount of occurrences of an event which must
occur before a specific alarm is executed. The following section highlights how to adjust threshold values for
alarms.

Configuring Alarm Thresholds

All Alarms included in the 201 CMR 17 Compliance Module can be configured with alarming thresholds. Follow
the instructions listed below to configure thresholds for Alarms.

1. Open the LogRhythm Console, click Deployment Manager, and then click Alarm Rules.
2. Right-click on a 201 CMR 17 alarm on which an exclude filter should be configured, then click
Properties.
3. Click the Aggregation tab (see Figure 3).

Figure 3 Configuring Alarm Thresholds

4. Fill in a threshold value.

NOTE: The threshold is the number of events which must occur prior to an alarm occurrence. When
the threshold has been exceeded an alarm will occur.

5. Click OK on the Alarm Rule.

1.303.413.8745 SUPPORT@LOGRHYTHM.COM PAGE 6

©
2014 LogRhythm Inc.
 - 201 CMR 17 Compliance Module: Deployment Guide

201 CMR 17 Reporting Package Scheduling

The LogRhythm 201 CMR 17 Compliance Module provides bundled reports in the form of reporting packages
which help demonstrate regulation compliance. The reporting packages are designed to be executed and
delivered to specific functional areas at designated time periods. This section describes the proper
configuration of 201 CMR 17 reporting packages.

201 CMR 17 Module Reporting Package

The Reporting Package included in the 201 CMR 17 Compliance Module is unscheduled by default. The
following sections describe how to schedule the reporting package.

Scheduling LogRhythm 201 CMR 17 Reporting Package

Follow the instructions listed below to schedule the 201 CMR 17: Audit Daily Reports reporting package.

1. Open the LogRhythm Console and click Report Center.

2. Click Tools, click Reports, and then click Scheduled Report Job Manager.
3. Right-click in the white space of the Scheduled Report Job Manager, then click New.
4. Select the check box for the LogRhythm 201 CMR 17 Reporting Package, then click Next.
5. Select the check box for desired email recipients of the reports (designate internal audit staff if
applicable), then click attach report if you want the recipient to receive the reports as attachments,
then click Next.
6. Select Past Week for the reporting period, select a single day (Sunday) for the report schedule,
specify a unique time in which the reports should run (see Figure 4), specify the UNC path of an
archival location for the reports to be saved, then click Next.

Figure 4 Scheduled Report Options

7. Specify a name for the report schedule, and then click OK.
8. Select the action box for the schedule report, right-click on the report name, click Action, and then
click Enable.

1.303.413.8745 SUPPORT@LOGRHYTHM.COM PAGE 7

©
2014 LogRhythm Inc.
 - 201 CMR 17 Compliance Module: Deployment Guide

201 CMR 17 Package Usage

The LogRhythm 201 CMR 17 Compliance Module provides bundled pre-created alarms, investigations, and
reports to help demonstrate regulatory compliance. The 201 CMR 17 Auditor will check for specific line-item
regulations to be met by LogRhythm. This section describes the proper usage of the following functions:

 Security Operations
 Security Management

201 CMR 17 Package Usage for Security Operations

To demonstrate regulatory compliance, security operations personnel must perform the vital role of properly
managing and using the LogRhythm 201 CMR 17 Compliance Module. This section describes the necessary
security operations functions:

 Compliance Monitoring
 Compliance Incident Handling

Security Operations Compliance Monitoring

The process of monitoring required by 201 CMR 17 involves both automated and manual activities. The
automated activities are typically associated with alarms, dashboards and report generation used by security
operations personnel. Investigations are used to identify, report, and remediate incidents.

To meet 201 CMR 17 standards, 201 CMR 17 requires:

 24x7x365 monitoring
 Review of the information being collected by LogRhythm

Monitoring requirements are located throughout the 201 CMR 17 Standards. Per 201 CMR 17 Requirement
17.03.2.h, “Regular monitoring to ensure that the comprehensive information security program is operating in
a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal
information; and upgrading information safeguards as necessary to limit risks.”

The most effective way to meet the monitoring requirements is for the security operations personnel to
monitor alarms, dashboard activity, and review reports produced by the security operations daily reporting
package on a daily interval. The 201 CMR 17 Alarms are configured to notify security operations personnel in
the event of a security related event (see Figure 1).

201 CMR 17 Package Usage for Security Management

To demonstrate regulatory compliance, security management personnel must oversee the usage of the
LogRhythm 201 CMR 17 Compliance Module. This section describes the necessary security management
functions of monitoring security operations functions.

The process of monitoring security operations functions involves monitoring of the security posture of the
organization as a whole and also monitoring of security operations processes such as incident response. The
most effective way to monitor both the security posture of the organization and security operations functions
is through the daily monitoring of dashboard activity, weekly reviewing of reports produced by the security
management weekly reporting packages. The LogRhythm 201 CMR 17 Reporting Package (see Table 8) is
configured to send security management security related reports on a weekly interval.

1.303.413.8745 SUPPORT@LOGRHYTHM.COM PAGE 8

©
2014 LogRhythm Inc.
 - 201 CMR 17 Compliance Module: Deployment Guide

Appendix A: Pre-Implementation Checklist

Table 2
201 CMR 17 Log Source List Log Sources
Access Control Systems

FIM Systems

Security Systems

Table 3
201 CMR 17 Users List Users
Disabled And Terminated Accounts List

1.303.413.8745 SUPPORT@LOGRHYTHM.COM PAGE 9

©
2014 LogRhythm Inc.
 - 201 CMR 17 Compliance Module: Deployment Guide

Appendix B: 201 CMR 17 Module Elements

Table 4
Alarms Directly Meet Requirements Classifications Log Sources
201 CMR 17: Attack Alert 17.03.2.b Attack 201 CMR 17: Security Systems
201 CMR 17: Compromise Alert 17.03.2.b Compromise 201 CMR 17: Security Systems
201 CMR 17: Denial Of Service Alert 17.03.2.b Denial of Service 201 CMR 17: Security Systems
201 CMR 17: Malware Alert 17.03.2.b Malware 201 CMR 17: Security Systems
201 CMR 17: Vulnerability Alert 17.03.2.b Vulnerability 201 CMR 17: Security Systems

Table 5
Investigations Augment Data Source Intelligent Classifications Log Sources
Requirements Indexing
201 CMR 17: Network 17.04.3 Log Manager No Network Allow, Network Deny, 201 CMR 17: Security
Service Detail Network Traffic Systems
201 CMR 17: Network 17.04.3 Log Manager No Network Allow, Network Deny, 201 CMR 17: Security
Connection Detail Network Traffic Systems

Table 6
Reports Directly Meet Augmented Data Source Intelligent Classifications Log Sources
Requirements Requirements Indexing
201 CMR 17: Account 17.03.2.h, Log Manager Yes Access Failure, 201 CMR 17: Account
Access Summary 17.04.4 Access Success Access Summary
201 CMR 17: Account 17.03.2.h, Log Manager Yes Authentication 201 CMR 17: Account
Authentication Summary 17.04.4 Failure, Authentication Summary
Authentication
Success
201 CMR 17: Account 17.03.2.e, Log Mart No Account Deletion 201 CMR 17: Account
Deletion Summary 17.04.1.d Deletion Summary
201 CMR 17: Alarm And 17.03.2.j Event Manager N/A N/A 201 CMR 17: Alarm And
Response Activity Response Activity
201 CMR 17: Antivirus 17.04.7 Log Manager Yes Information 201 CMR 17: Antivirus
Information Summary Information Summary
201 CMR 17: Antivirus 17.04.7 Log Mart No Critical, Error, 201 CMR 17: Antivirus
Issue Summary Warning Issue Summary
201 CMR 17: 17.03.2.b.3 Log Mart No Critical, Error 201 CMR 17:
Critical/Error Condition Critical/Error Condition
Summary Summary

1.303.413.8745 SUPPORT@LOGRHYTHM.COM PAGE 10

2014 LogRhythm Inc.

©
 - 201 CMR 17 Compliance Module: Deployment Guide

Reports Directly Meet Augmented Data Source Intelligent Classifications Log Sources
Requirements Requirements Indexing
201 CMR 17: Default 17.04.2.b Log Manager Yes Access Failure, 201 CMR 17: Default
Account Access Summary Access Success Account Access Summary
201 CMR 17: Default 17.04.2.b Log Manager Yes Authentication 201 CMR 17: Default
Account Auth Summary Failure, Account Auth Summary
Authentication
Success
201 CMR 17: 17.03.2.e, Log Mart No Access Revoked 201 CMR 17:
Disabled/Locked Account 17.04.1.d, Disabled/Locked Account
Summary 17.04.1.e Summary
201 CMR 17: File 17.04.2.a Log Manager No Activity 201 CMR 17: File
Integrity Monitoring Integrity Monitoring
Summary Summary
201 CMR 17: Host 17.04.6 Log Mart No Critical, Error, 201 CMR 17: Host
Firewall Error Summary Warning Firewall Error Summary
201 CMR 17: Host 17.04.6 Log Mart No Information 201 CMR 17: Host
Firewall Information Firewall Information
Summary Summary
201 CMR 17: Network 17.04.3 Log Manager No Network Allow, 201 CMR 17: Network
Connection Summary Network Deny, Connection Summary
Network Traffic
201 CMR 17: Network 17.04.3 Log Manager No Network Allow, 201 CMR 17: Network
Service Summary Network Deny, Service Summary
Network Traffic
201 CMR 17: Non- 17.04.3 Log Manager Yes Network Allow, 201 CMR 17: Non-
Encrypted Protocol Network Deny, Encrypted Protocol
Summary Network Traffic Summary
201 CMR 17: Security 17.03.2.b Log Mart No Activity, Attack, 201 CMR 17: Security
Event Summary by Compromise, Denial Event Summary by
Application Of Service, Application
Malware, Misuse,
Reconnaissance,
Suspicious,
Vulnerability
201 CMR 17: Security 17.03.2.b Log Mart No Activity, Attack, 201 CMR 17: Security
Event Summary by Entity Compromise, Denial Event Summary by Entity
Of Service,
Malware, Misuse,
Reconnaissance,
Suspicious,
Vulnerability

1.303.413.8745 SUPPORT@LOGRHYTHM.COM PAGE 11

©
2014 LogRhythm Inc.
 - 201 CMR 17 Compliance Module: Deployment Guide

Reports Directly Meet Augmented Data Source Intelligent Classifications Log Sources
Requirements Requirements Indexing
201 CMR 17: Security 17.03.2.b Log Mart No Activity, Attack, 201 CMR 17: Security
Event Summary by Compromise, Denial Event Summary by
Impactd Host Of Service, Impactd Host
Malware, Misuse,
Reconnaissance,
Suspicious,
Vulnerability
201 CMR 17: Security 17.03.2.b Log Mart No Activity, Attack, 201 CMR 17: All Log
Event Summary by Origin Compromise, Denial Sources
Host Of Service,
Malware, Misuse,
Reconnaissance,
Suspicious,
Vulnerability
201 CMR 17: Signature 17.04.7 Log Mart No Configuration, Error 201 CMR 17: All Log
Update Summary Sources
201 CMR 17: Software 17.04.6 Log Mart No Configuration, Error 201 CMR 17: Access
Update Summary Control Systems
201 CMR 17: Terminated 17.03.2.e, Log Manager Yes Access Failure, 201 CMR 17: All Log
Account Access Summary 17.04.1.d Access Success Sources
201 CMR 17: Terminated 17.03.2.e, Log Manager Yes Authentication 201 CMR 17: Security
Account Auth Summary 17.04.1.d Failure, Systems
Authentication
Success

1.303.413.8745 SUPPORT@LOGRHYTHM.COM PAGE 12

2014 LogRhythm Inc.

©
 - 201 CMR 17 Compliance Module: Deployment Guide

Table 7
List Name
201 CMR 17: All Log Sources
201 CMR 17: Access Control
Systems
201 CMR 17: FIM Systems
201 CMR 17: Security Systems
201 CMR 17: Disabled And
Terminated Accounts List
List Type Type of Item
Log Sources Pre-populated log source list (201 CMR 17: Access Control Systems, 201 CMR 17: FIM Systems, 201
CMR 17: Security Systems)
Log Sources Log source systems which handle access control (Example: Active Director Domain Controllers, Single
Sign-on Servers, Radius Servers)
Log Sources Log source systems which contain file integrity monitoring software (Example: Laptops, Servers,
Workstations)
Log Sources Log source systems which contain network security services (Example: Anti-SPAM, Content Filters,
Firewalls, Intrusion Detection Systems/Intrusion Prevention Systems, Routers, Switches, Virtual Private
Networking, and Wireless)
Users List all shared user accounts (Example: Pat_Intern)

Table 8
Reporting Packages Interval Functional Area Reports
201 CMR 17: Account Access Summary
201 CMR 17: Account Authentication Summary
201 CMR 17: Account Deletion Summary
201 CMR 17: Alarm And Response Activity
201 CMR 17: Antivirus Information Summary
201 CMR 17: Antivirus Issue Summary
201 CMR 17: Critical/Error Condition Summary
201 CMR 17: Default Account Access Summary
201 CMR 17: Default Account Auth Summary
201 CMR 17: Disabled/Locked Account Summary
201 CMR 17: File Integrity Monitoring Summary
201 CMR 17: Host Firewall Error Summary
LogRhythm 201 CMR 17 Reporting Package Weekly Audit, IT, Security
201 CMR 17: Host Firewall Information Summary
201 CMR 17: Network Connection Summary
201 CMR 17: Network Service Summary
201 CMR 17: Non-Encrypted Protocol Summary
201 CMR 17: Security Event Summary by Application
201 CMR 17: Security Event Summary by Entity
201 CMR 17: Security Event Summary by Impactd Host
201 CMR 17: Security Event Summary by Origin Host
201 CMR 17: Signature Update Summary
201 CMR 17: Software Update Summary
201 CMR 17: Terminated Account Access Summary
201 CMR 17: Terminated Account Auth Summary

1.303.413.8745 SUPPORT@LOGRHYTHM.COM PAGE 13

©
2014 LogRhythm Inc.
 - 201 CMR 17 Compliance Module: Deployment Guide

Table 9
Lists Alarms Investigations
201 CMR 17: Security Systems 201 CMR 17: Attack Alert
201 CMR 17: Compromise Alert
201 CMR 17: Denial Of Service Alert 201 CMR 17: Network Connection Detail
201 CMR 17: Malware Alert 201 CMR 17: Network Service Detail
201 CMR 17: Vulnerability Alert

Table 10
Lists Reports
201 CMR 17: All Log Sources 201 CMR 17: Account Access Summary
201 CMR 17: Account Authentication Summary
201 CMR 17: Alarm And Response Activity
201 CMR 17: Critical/Error Condition Summary
201 CMR 17: Default Account Access Summary
201 CMR 17: Default Account Auth Summary
201 CMR 17: Host Firewall Error Summary
201 CMR 17: Host Firewall Information Summary
201 CMR 17: Software Update Summary
201 CMR 17: Terminated Account Access Summary
201 CMR 17: Terminated Account Auth Summary
201 CMR 17: Access Control Systems 201 CMR 17: Account Deletion Summary
201 CMR 17: Disabled/Locked Account Summary
201 CMR 17: FIM Systems 201 CMR 17: File Integrity Monitoring Summary
201 CMR 17: Security Systems 201 CMR 17: Antivirus Information Summary
201 CMR 17: Antivirus Issue Summary
201 CMR 17: Network Connection Summary
201 CMR 17: Network Service Summary
201 CMR 17: Non-Encrypted Protocol Summary
201 CMR 17: Security Event Summary by Application
201 CMR 17: Security Event Summary by Entity
201 CMR 17: Security Event Summary by Impactd Host
201 CMR 17: Security Event Summary by Origin Host
201 CMR 17: Signature Update Summary
201 CMR 17: Disabled And Terminated Accounts List 201 CMR 17: Terminated Account Access Summary
201 CMR 17: Terminated Account Auth Summary

1.303.413.8745 SUPPORT@LOGRHYTHM.COM PAGE 14

2014 LogRhythm Inc.

©
 - 201 CMR 17 Compliance Module: Deployment Guide

Appendix C: 201 CMR 17 Requirements Matrix

Table 11
201 CMR 17 Requirements Support Alarms
17.03.2.b: Identifying and assessing reasonably foreseeable internal and external risks to the Direct 201 CMR 17: Attack Alert
security, confidentiality, and/or integrity of any electronic, paper or other records containing 201 CMR 17: Compromise Alert
personal information, and evaluating and improving, where necessary, the effectiveness of the 201 CMR 17: Denial Of Service Alert
current safeguards for limiting such risks.
201 CMR 17: Malware Alert
201 CMR 17: Vulnerability Alert

Table 12
201 CMR 17 Requirements Support Investigations
17.04.3: Encryption of all transmitted records and files containing personal information Augment 201 CMR 17: Network Connection Detail
that will travel across public networks, and encryption of all data containing personal 201 CMR 17: Network Service Detail
information to be transmitted wirelessly.

Table 13
201 CMR 17 Requirements Support Reports
17.03.2.b: Identifying and assessing reasonably foreseeable internal and Direct 201 CMR 17: Critical/Error Condition Summary
external risks to the security, confidentiality, and/or integrity of any 201 CMR 17: Security Event Summary by Application
electronic, paper or other records containing personal information, and 201 CMR 17: Security Event Summary by Entity
evaluating and improving, where necessary, the effectiveness of the
current safeguards for limiting such risks. 201 CMR 17: Security Event Summary by Impactd Host
201 CMR 17: Security Event Summary by Origin Host

17.03.2.b.3: Means for detecting and preventing security system failures. Direct 201 CMR 17: Critical/Error Condition Summary
17.03.2.e: Preventing terminated employees from accessing records Augment 201 CMR 17: Account Deletion Summary
containing personal information. 201 CMR 17: Disabled/Locked Account Summary
201 CMR 17: Terminated Account Access Summary
201 CMR 17: Terminated Account Auth Summary
17.03.2.h: Regular monitoring to ensure that the comprehensive Direct 201 CMR 17: Account Access Summary
information security program is operating in a manner reasonably 201 CMR 17: Account Authentication Summary
calculated to prevent unauthorized access to or unauthorized use of
personal information; and upgrading information safeguards as necessary
to limit risks.
17.03.2.j: Documenting responsive actions taken in connection with any Direct 201 CMR 17: Alarm And Response Activity
incident involving a breach of security, and mandatory post-incident
review of events and actions taken, if any, to make changes in business
practices relating to protection of personal information.

1.303.413.8745 SUPPORT@LOGRHYTHM.COM PAGE 15

2014 LogRhythm Inc.

©
 - 201 CMR 17 Compliance Module: Deployment Guide

17.04.1.d: Restricting access to active users and active user accounts Augment 201 CMR 17: Account Deletion Summary
only. 201 CMR 17: Disabled/Locked Account Summary
201 CMR 17: Terminated Account Access Summary
201 CMR 17: Terminated Account Auth Summary
17.04.1.e: Blocking access to user identification after multiple Augment 201 CMR 17: Disabled/Locked Account Summary
unsuccessful attempts to gain access or the limitation placed on access
for the particular system.
17.04.2.a: Restrict access to records and files containing personal Augment 201 CMR 17: File Integrity Monitoring Summary
information to those who need such information to perform their job
duties.
17.04.2.b: Assign unique identifications plus passwords, which are not Augment 201 CMR 17: Default Account Access Summary
vendor supplied default passwords, to each person with computer access, 201 CMR 17: Default Account Auth Summary
that are reasonably designed to maintain the integrity of the security of
the access controls.
17.04.3: Encryption of all transmitted records and files containing Augment 201 CMR 17: Network Connection Summary
personal information that will travel across public networks, and 201 CMR 17: Network Service Summary
encryption of all data containing personal information to be transmitted 201 CMR 17: Non-Encrypted Protocol Summary
wirelessly.

17.04.4: Reasonable monitoring of systems, for unauthorized use of or Direct 201 CMR 17: Account Access Summary
access to personal information. 201 CMR 17: Account Authentication Summary
17.04.6: For files containing personal information on a system that is Augment 201 CMR 17: Host Firewall Error Summary
connected to the Internet, there must be reasonably up-to-date firewall 201 CMR 17: Host Firewall Information Summary
protection and operating system security patches, reasonably designed to 201 CMR 17: Software Update Summary
maintain the integrity of the personal information.

17.04.7: Reasonably up-to-date versions of system security agent Augment 201 CMR 17: Antivirus Information Summary
software which must include malware protection and reasonably up-to- 201 CMR 17: Antivirus Issue Summary
date patches and virus definitions, or a version of such software that can 201 CMR 17: Signature Update Summary
still be supported with up-to-date patches and virus definitions, and is set
to receive the most current security updates on a regular basis.

1.303.413.8745 SUPPORT@LOGRHYTHM.COM PAGE 16

2014 LogRhythm Inc.

©
 - 201 CMR 17 Compliance Module: Deployment Guide

Appendix D: Data Management Settings

Global Data Management Settings
In Deployment Manager, click the Event Manager tab, and then click Global Data Management Settings.
Ensure all check boxes under Global Configuration Options are checked, as shown below:

Figure 5 Global Configuration Options

1.303.413.8745 SUPPORT@LOGRHYTHM.COM PAGE 17

©
2014 LogRhythm Inc.
 - 201 CMR 17 Compliance Module: Deployment Guide

Classification Based Data Management Settings

In the same Data Management Settings window, click the Classification Based Data Management
Settings tab.

Ensure Classification Based Data Management (CBDM) is enabled, with all Global CBDM Settings check boxes
enabled as shown below:

Figure 6 Classification Based Data Management Settings

Global Classification Settings (GCS)

The Global Classification Settings should be configured as outlined below:

Table 14
Classification Type Classification Online Archive LogMart
Audit Startup and Shutdown NR R NR
Audit Configuration O R R
Audit Policy O R NR
Audit Account Created O R NR
Audit Account Modified O R NR
Audit Account Deleted O R NR
Audit Access Granted O R NR
Audit Access Revoked R R R
Audit Authentication Success R R NR
Audit Authentication Failure R R NR
Audit Access Success R R NR

1.303.413.8745 SUPPORT@LOGRHYTHM.COM PAGE 18

©
2014 LogRhythm Inc.
 - 201 CMR 17 Compliance Module: Deployment Guide

Audit Access Failure R R NR

Audit Other Audit Success NR R NR
Audit Other Audit Failure O R NR
Audit Other Audit R R NR
Security Compromise R R R
Security Attack R R R
Security Denial Of Service R R R
Security Malware R R R
Security Suspicious R R R
Security Reconnaissance R R R
Security Misuse R R R
Security Activity R R R
Security Vulnerability R R R
Security Failed Attack NR R NR
Security Failed Denial of Service NR R NR
Security Failed Malware NR R NR
Security Failed Suspicious NR R NR
Security Failed Misuse NR R NR
Security Failed Activity NR R NR
Security Other Security NR R NR
Operations Critical R R R
Operations Error R R R
Operations Warning R R R
Operations Information O R NR
Operations Network Allow R R NR
Operations Network Deny R R NR
Operations Network Traffic R R NR
Operations Other Operations NR R NR
R = Required for reports to properly populate and to meet compliance regulation archiving standards
O = Optional, but recommended for forensic search support
NR = Not required and not recommended

1.303.413.8745 SUPPORT@LOGRHYTHM.COM PAGE 19

©
2014 LogRhythm Inc.