331Integrity Monitoring
6. Was it the attempt to access the system successful? (And if yes, how much
data was retrieved? What may have been changed?)
The evidence available to the reviewer is provided:
• Within the client system (this may be infeasible—such as in web-based
commerce systems)
• Within the system (including the logs produced by the system that are sent
to a remote system)
• Between the client and the system (such as rewall logs, IDS/IPS devices,
and host-based events and logs)
More and more we need to start looking to network-based controls to protect and log
SCADA systems.
Auditing within the client entails using the evidence available on the client itself.
Client systems can hold a wealth of system access tools and the logs ...