Log Web Proxy Activity for Security Analysis
Record details of websites accessed through web proxies, including web address and user info, for security tracking.
Plain language
This control is about keeping track of all the websites that people in your organisation visit using web proxies, along with details like when they visited and how much data was transferred. This is important because it helps catch any unauthorised or suspicious activities that could lead to security breaches or data leaks.
Framework
ASD Information Security Manual (ISM)
Control effect
Detective
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
The following details are centrally logged for websites accessed via web proxies: - web address - date and time - user - amount of data uploaded and downloaded - internal and external IP addresses.
Why it matters
Without centrally logging web proxy activity, detecting unauthorised browsing or data exfiltration is delayed, increasing the likelihood and impact of a breach.
Operational notes
Centrally log proxy URL, timestamp, user, bytes in/out and internal/external IPs; alert on spikes, suspicious domains and review retention and access controls.
Implementation tips
- The IT team should set up a system to log web proxy activity. This can be done by configuring your web proxy software to automatically record details of every website visited, including the addresses, times, and associated user details.
- A System Administrator should ensure the logging system captures the necessary data. They can do this by checking that the logs include web addresses, dates and times of access, the identity of users, data transfers, and both internal and external IP addresses.
- Managers should inform staff about the monitoring. Hold a briefing session to explain that web use is logged for security reasons, and share a policy document so everyone understands acceptable use and the reasons behind these measures.
- The IT team should regularly review the logs for suspicious behavior. Use tools or scripts to highlight unusual activity, like accessing sketchy websites or transferring large data amounts, and then investigate these further.
- A Data Protection Officer should ensure log data is stored securely. Implement access controls so that only authorised staff can view it, and ensure that logs are backed up regularly and retained for a suitable period as per your policy.
Audit / evidence tips
-
Askthe web proxy log configuration file
Goodis a configuration that clearly specifies all these elements
-
Goodis complete, consistently formatted log entries over an extended period
-
Askhow they ensure all necessary data is logged and monitored
Goodis a clear explanation of the monitoring process and examples of how issues have been identified
-
Goodis evidence of regular reviews and appropriate follow-up actions on identified issues
-
Goodis a simple policy document that clearly outlines logging practices and staff awareness efforts
Cross-framework mappings
How ISM-0261 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.15 | ISM-0261 requires organisations to centrally log specific web proxy activity details (such as web address, timestamp, user, data volumes,... | |
| handshake Supports (1) expand_less | ||
| Annex A 8.16 | ISM-0261 requires organisations to centrally log detailed web proxy activity to provide visibility of user web access and associated netw... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.