Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.

In the event of a security incident you will need to review system logs to trace events back to a user. If your systems are not configured to capture the appropriate logs you will not be able to identify which account committed the security incident. Collecting the necessary information in audit logs allows you to trace actions to a specific user. Collected logs may include user IDs, source and destination addresses, and time stamps. Logs should be collected from from network devices, servers, computers, and cloud resources.

Your systems need to capture logs that can aid in tracing actions back to a user. Your logs should capture user IDs, source and destination IP addresses, and time stamps.