Select Reports > Portal > Repository > Standard Content > IT GOV > ISO-27002 > Reports > ISO 12 - Operations Security.
Section 12: Operations security of the ISO 27002 standard focuses on ensuring that the facilities that store and process information are protected from malware, data loss, and the exploitation of technical vulnerabilities. Use the following reports to check for compliance with the standard.
Reports the accounts that have performed the most administrative actions. The table provides results by admin account, destination IP address, the name and ID of the detected event, the affected product, the number of events, and date of the most recent event.
Reports the hosts that have had the highest number of logins and logouts by administrative accounts. The table provides results by the name of the event, the admin account, the IP address and name of the affected host, the action taken, the number of events, and the date of the most recent event.
Reports the applications that have had the highest number of configuration changes. For example, a user might have updated a license file or a program setting. The table provides results by the vendor and product modified, the IP address and zone of the host system, and the date that the modification occurred.
Reports the number of audit logs that have been cleared over time. The table provides results by the date, IP address and host of the affected system, the affected account, the source account that cleared the audit log, and the affected device.
Reports the 10 hosts with the most changes to the operating system. Detected modifications might be to the security options or OS accounts. The table provides results by IP address and name of the affected host system, the device product and vendor that was changed, and the destination zone.
Reports the type and number of modifications made to devices in the network. The table provides results by the date, time, event name, affected product, and the host where the changes occurred.
Reports the devices with the most logging events, such as a database. The table provides results by the device host name and address, the vendor and product affected, number of events detected for that product, and the date of the most recent event.
Because this report queries the logging activity from all devices, it will have a performance impact each time that you run it.
Reports the number of detected events where a user might have exploited a well-known vulnerability. For example, an IDS might report an event associated with a Unicode vulnerability. The table provides results by the vulnerability, the affected host, and the number of detected events.
Reports the number of failed logins by administrative accounts over time. A high number of failed access attempts can indicate malicious activity. The table provides results by account name, the name and IP address of the host where the login failed, the affected product or operating system, the number of failures detected, and the date of the most recent event.
Reports the number of failed logins over time. A high number of failed access attempts can indicate malicious activity. The table provides results by account name, the name and IP address of the host where the login failed, the affected product or operating system, the number of failures detected, and the date of the most recent event.
Reports the user accounts with the most attempts to log in to databases in your environment. The table provides results by the user account, the affected host, the number of attempts, whether the attempt was successful, and date of the most recent event.
Reports the systems with the most policy breaches, which match the category technique of /Policy/Breach. The table provides results by the device group, affected vendor and product, the IP address and name of the host, and date of the breach.
Reports the devices that where malicious code source has been detected. The table provides results by the event name, the affected device, the source device, affected product, the category of the malicious code, and the outcome.
Reports the number of successful logins by administrative accounts over time. The table provides results by account name, the name and IP address of the host where the logins occurred, the affected product or operating system, the number of successful logins, and the date of the most recent event.
Reports the number of successful logins over time. The table provides results by account name, the name and IP address of the host where the logins occurred, the affected product or operating system, the number of successful logins, and the date of the most recent event.
Reports the non-administrative accounts with the most actions taken. For example, a user might delete an infected file. The report provides results by the source account, the affected account, the name of the event, the IP address where the action occurred, the affected product, the outcome of the user’s action, the number of times that the action was detected, and the date of the most recent event.
Run this report with caution, as it can generate enormous amounts of data. This report will not include events in which both source and destination users are null.
Reports the user accounts that log in and out the most. The table provides results by the name of the login action and category, the user account, the IP address, name, and zone of the affected system, and the date of the event.
Reports the systems with the most detected viruses by affected product. The table provides results by the virus name, the affected system and product, and the date of the event.