Audit procedures are required in order to determine whether or not the product is used appropriately and to allow inappropriate use to be detected and addressed.
An Audit journal must be maintained to record access to the HSM and its environment. There must be personnel available to ensure that the journal is regularly reviewed to detect inappropriate use. Reviews must be conducted by trusted personnel who are independent of the operators. Procedures must be in place to react to any hostile incidents. Access to the journal must be controlled and it should be regularly backed up, with a copy kept off-site.
Recommendations for content are as follows:
1. Audit logs must not contain any sensitive information, (e.g. key data).
2. Whenever a maintenance function or authorised function is used, this fact must be recorded, with details of the function used, and the reason for its use.
3. Whenever the product is put into a new operating state this must be recorded.
4. Every movement from one location to another must be recorded, together with reason for movement.
5. Every access to the HSM Secure Area must be recorded.
6. Every access to an authorising, LMK or HSM settings SmartCard must be recorded and include the name of the officer involved and the reason for its use.
7. Where PINs are written down, every access to a PIN must be recorded and include the name of the officer involved and the reason for its use.
8. Access to PIN printing areas must be recorded, including details of damaged and destroyed PIN mailer material.
9. Every access to physical keys must be recorded and include the name of the officer involved.
10. It must always be possible to determine the current operating state by viewing the audit journal.
11. The audit journals must be regularly reviewed to aid discovery of any hostile action that may have occurred to the product.
12. Procedures must exist to react to and counter such a hostile action if discovered during the course of such review.
13. Reviews must be conducted by trusted personnel who are independent of the operators.
14. The information recorded in logs should be easy to understand and is organised in such a way as to make analysis of log information both straightforward and useful.
15. Audit information should be regularly backed up and stored off-site in such a way that it can be easily restored if necessary.
16. All entries must include date, time, name of the officer involved and the reason for access.
17. An authorised individual must sign all audit entries. Where an action requires more than one individual, both individuals must sign the entry.
18. Sufficient resource must be available to allow complete auditing to occur.
19. The audit logs must be protected by an access control mechanism.
20. It must not be possible to delete or modify the audit journal.