The integrity of the audit trail is paramount for an IS auditor. If a firewall is compromised, an attacker's first action is often to alter or delete local logs to cover their tracks. Storing logs on a separate, protected host (e.g., a SIEM or a hardened log server) ensures that a reliable and tamper-evident record of all network activity and potential security incidents is preserved. This preserved evidence is essential for forensic investigation, incident response, and for the auditor to verify the firewall's operational effectiveness over time.

B. Automated alerts are being sent when a risk is detected: Alerts are generated from log data. If the underlying logs are not protected and can be tampered with (as addressed in A), the alerts become unreliable or may not be generated at all.

C. Insider attacks are being controlled: This is a broad security objective, not a specific firewall control. A firewall is only one component in a defense-in-depth strategy to mitigate insider threats.

D. Access to configuration files Is restricted: While this is a critical preventive control, a system can still be compromised via other means (e.g., a zero-day vulnerability). In such a case, secure, external logs are the only way to detect and investigate the breach. The integrity of evidence (logs) is fundamental to the audit function.

---

1. ISACA

CISA Review Manual

27th Edition

2019.

Page 213

Section 4.4.4 Security Event Logging and Monitoring: "The IS auditor should verify that security events are logged and that the logs are secured to prevent tampering... Log data should be sent to a dedicated log server to prevent the logs from being destroyed by an attacker." This directly supports the critical need to secure logs on a separate host to prevent tampering

which is a primary concern for an auditor.

2. ISACA

"Auditing Network Perimeters

" Audit Program

2016.

Section 3.2.4: The audit program directs the auditor to "Verify that firewall logs are enabled to log all inbound and outbound traffic

and sent to a dedicated and secured log server." This step is crucial for ensuring a complete and reliable audit trail

which underpins the entire audit of the control's operation.

3. NIST Special Publication 800-92

"Guide to Computer Security Log Management

" 2006.

Section 3.4.1

Page 3-10: "Organizations should store logs on dedicated log servers

not on the hosts that generate the logs... Storing logs on a different system from the one that generates them makes it more difficult for attackers to tamper with the logs." This official guideline establishes the practice as a fundamental security principle for maintaining log integrity.