Resources and Advice
The US National Institute of Standards and Technology (NIST) - NIST are a very good reference source for information and resources involving security, privacy and compliance issues. They have a number (more than 100) free to download special publication dealing with all aspects of information technologies.
One area in which NIST makes public statements is in the area of recommended technologies. NIST will provide indications that certain technologies and standards conform to their recommendations and so will provide advice in terms of supporting or not supporting specific technologies in lieu of superior alternatives.
An example of a technology that NIST once supported but have now withdrawn their support in favor of a replacement technology is in the area of encryption. NIST have now officially withdrawn their support of the 58-bit Digital Encryption Standard (DES) and now recommend Triple DES; also known as Triple Data Encryption Algorithm (TDEA) or the stronger faster Advanced Encryption Standard (AES) algorithm.
Regarding logs and logging procedures and practices the NIST publication NIST 800-92, Guide to Computer Security Log Management is a great resource as it details many ways to establish, evolve and maintain efficient effective log management structures. Topics covered in this publication include log generation, analysis, storage and monitoring. It can be downloaded free of charge from here.
Log Review and Analysis
The reasons as to why you must regularly review and analyze those logs that you record and maintain include regulatory compliance requirements as well as to enhance your information security, privacy and availability overall.
Through persistent, regular, consistent log, review and analysis you will uncover many otherwise undetected activities capable of negatively affecting you or your organization. Some examples of common issues that I regularly find through the log review and audit process include policy violations, application processing errors, fraud, security incidents and operational functionality and efficiency issues.
Policy Development Guidelines
With so many laws and standards having similar requirements regarding logging and log review and analysis procedures a carefully constructed logging plan implemented via a comprehensive log policy that incorporates all of these various elements into a single united logging procedures and practices policy is the best approach to take.
Do not try to satisfy each set of individual regulatory, statutory, or standards requirements piecemeal style. That is, your best plan of attack is to develop a comprehensive policy, which contains a general logging practices and procedures directive and additional specific requirements clauses as supplemental special recommendations on an individual basis for areas that warrant such treatment.
The importance and cost-effectiveness of developing a risk-oriented policy can often be the easiest means to expedite the implementation of procedures and policies where none currently exists or those that do exist are dated or inadequate.
Expediency in the matter of developing, implementing and then further finessing your logging and information control policies is critical in rapidly reducing the potentially negative impacts any immediate exposure to risk factors would cause due to the lack of such a policy.
PCI DSS Compliance
Without doubt, Payment Card Industry (PCI) Data Security Standard (DSS) compliance and ratification (PCI DSS) is the major concern of all who process credit card payments. This sector is of utmost criticality for online business and “offline” transactions alike with “offline” being defined as transactions other than customer initiated Internet-based transaction processing.
In essential requirements for PCI DSS compliance are contained in Section 10 of the PCI DSS standard and detail those actions required (not mandatory) to monitor network activities and cardholder data access events. The best bit here is that the majority of the audit logs generated in compliance with these stipulations also confirm to the requirements of the majority of aspects in this regard required by other laws and regulations.
IMPORTANT TIP - Getting your house in order regarding PCI DSS compliance will have the beneficial side effect of simultaneously fulfilling the majority of the auditing and logging requirements from other areas. Thereby leaving you to custom plug the gaps as your circumstance dictate.
The bean counters love this approach as it addresses their area of immediate concern first - CASH FLOW. Nobody said you have to reveal your full motivations for this approach.
“Work smarter and not just harder” is something my mother always says. Once again, she is right.
PCI DSS Compliance Logging Requirements
Here are some of the computer, network and Internet activities that you will need to log in order to satisfy PCI DSS compliance requirements grouped by activity and class:
Synchronization
Synchronization procedure and mechanisms relating to all computer, system, network and Internet activities need thorough documentation. Not only must time synchronization data accompany all logs it must be included with specificity to every individual itemized event included in the log
Authentication Mechanisms
Current computer, system and network authentication mechanisms need thorough documentation along with additional log information detailing such criteria as changes to authentication mechanisms, invalid authentication events, password changes, administrative authentication-related activities.
