The system must register the severity level for each exceptional and security event.
CIS Controls. 6.3 Enable Detailed Logging: Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.
CWE-223: Omission of Security-relevant Information: The application does not record or display information that would be important for identifying the source or nature of an attack, or determining if an action is safe.
CWE-532: Insertion of Sensitive Information into Log File: Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.
CWE-778: Insufficient Logging: When a security-critical event occurs, the software either does not record the event or omits important details about the event when logging it.
ISO 27001:2013. Annex A - 12.4.1: Store, maintain and regularly review records of user activities, exceptions, failures and information security events.
OWASP Top 10 A10:2017-Insufficient Logging & Monitoring: Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data.
OWASP-ASVS v4.0.1 V1.7 Errors, Logging and Auditing Architectural Requirements.(1.7.1): Verify that a common logging format and approach is used across the system.
OWASP-ASVS v4.0.1 V7.1 Log Content Requirements.(7.1.4): Verify that each log event includes necessary information that would allow for a detailed investigation of the timeline when an event happens.