The system must allow authorized users to inspect their own session history.
Systems usually collect personal and transactional data from their users. Users should have control of their own data and, as such, should be allowed to query and inspect whatever information the system has collected from them, including their session history.
This requirement is verified in following services
- GDPR-R7. The framework is based on control and certainty
- HIPAA-164_308_a_1_ii_D. Information system activity review (required)
- NYDFS-500_14. Training and monitoring
- MITRE ATT&CK®-M1029. Remote data storage
- PA-DSS-4_1. Log all user access and be able to link all activities to individual users
- PDPO-5_27. Log book to be kept by data user
- CMMC-AU_L2-3_3_2. User accountability
- CMMC-PE_L1-3_10_4. Physical access logs
- HITRUST CSF-13_f. Principle access
- HITRUST CSF-13_s. Privacy monitoring and auditing
- ISO/IEC 27002-5_16. Identity management
- LGPD-18_II. Data Subjects Rights
- MVSP-2_7. Application design controls - Logging
- OWASP SCP-7. Error handling and logging
- PCI DSS-10_2_1_3. Audit logs are enabled and active for all system components
- OWASP API Security Top 10-API10. Insufficient Logging & Monitoring
- ISO/IEC 27001-5_16. Identity management
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.