Information Protection and Regulation

Audit Logs

Events requiring documentation and logging here include access to audit logs, any modifications to audit logs and audit logging procedures, the clearing and destruction of audit logs for all components of the network including individual computers, server computers and networking devices as well as the services offered (e.g. Internet).

Cardholder Data

You must thoroughly document cardholder data access, processes, procedures and security initiatives. This includes details of those who are explicitly authorized to access cardholder data and those are not specifically authorized to access to cardholder information. Details concerning the assets and resources involved in these processes must also require inclusion.

Cardholder data related logs must include access to cardholder data events including valid and invalid events along with maintenance and formal audit access events. Other types of cardholder data related events that need logging include cardholder data storage, updating and maintenance, valid and invalid cardholder data applications access events.

System-Level Objects

You must log all system-level object events including creation, deletion, modifications and read-only events. This includes system-level events at the machine-level including workstations and clustered computer resources as well as the datacenter.

Common Network and Cardholder Access Events

All cardholder data access and/or network access events must contain user identifier, event type, event date and time, attempt result (success/failure), event origin, resource identity attributes such as the data file name, system component, computer,network, application, modifications, administrative activities etc.

Log Generation and Management

It is a sad fact that the majority of IT personnel are not cognizant of, nor do they fully understand the issues, implications and ramifications concerning authentication, logging, computers, networking, network monitoring and security logging, accounting and auditing practices.

To compound this further most compliance personal do not have an IT background and often make the fatal assumption that those in IT log everything and retain the logs generated forever. The logistics of this type of approach are unrealistic since the volumes of data generated from a log everything/keep everything approach would rapidly bury an organization.

Another area that different management areas do not fully appreciate is that for the larger part IT must have sufficient appropriate documentation detailing precisely what is required before those requirements are achievable.

Assuming that IT knows all about every other department's logging requirements is unrealistic. It is essential to inform IT of the logging requirements of other departments if IT is to develop policies appropriate for satisfying organization-wide logging requirements. All logging and reporting activities require resources at the individual computer level as well as the network and organization levels.

A direct result of these factors is that, more times than not, inadequate noncompliant logging procedures and policies become implemented into production environments.

Developing a Log Policy

Here are a few tips to assist you in the development of a log management policy or log management component of your larger log policy.

• General Comprehension - Understand and define the general logging requirements of all sectors of your organization and the types of they logs require. You do not have to fill in all of the nitty-gritty detail at this point.
• Define Specifics - Meet with those responsible for specific areas and discuss in more detail the nature and specifics of their requirements including the types of data and report formats each department needs, the data types that are necessary to achieve organization-wide compliance and the data that each department would require should a breach occur. Discuss matters concerning the feasibility of collecting, collating and storing the logs and reports generated.
• Fiscal Matters - It is best to begin addressing fiscal aspects and concerns now. Without doubt, other departments will be very willing to burden IT with as much of their workload as possible. With IT producing the extra logs and reports in order to satisfy every other department's requirements it is only reasonable to expect that additional resources may be required.
• Analysis - Analyze these results and determine what areas are common for all. Also, define those areas that are common to most and those that are specific to one or two departments only.
• Evaluate - Examine your current logging procedures and analyze the data types currently collected. Note those aspects of the above requirements you already satisfy. Produce a list of the “missing” factors.
• Plan - Define mechanisms to incorporate collection and collation of these “missing” factors compatible with your system's current capabilities.
• Test - Implement a trial run. Collect and collate this data then generate the appropriate reports for each department.
• Determine Satisfaction - Meet with the other departments and discuss your trial reports. Determine if these reports are satisfactory. Have the other departments produce a report detailing areas of the trial reports that need amending.
• Amend and Retest - Incorporate the amendments into a new trial run.
• Reevaluate - Repeat the cycle until satisfaction is unanimous with all departments
• Review Regularly - Regularly review your data collection, collation and report generation procedures and policies to ensure complete alignment with all departments concerned.
• Review Currency - Regularly evaluate the currency component of your current logging practices and policies. Make sure the other departments do likewise. Make sure that all departments notify you immediately of any changes to their policy or requirements.

You cannot begin to develop procedures to satisfy another department's logging requirements if they do not inform you of these changes.

Where Logs Help

Here are some different type of logs and some of the areas in which they are useful.

• Networking Devices Logs - Logs from switches, wireless access points, routers and firewalls can identify intrusion attempts (by hackers for example) as well as connectivity issues such as legitimate authorized users not being able to gain access to assets and resources they are entitled to access.
• Network Access Logs - These logs contain much information concerning network and network metrics as well as authorized and unauthorized access events, which can be very helpful in planning upgrades and network infrastructure changes. You will also find information relating to abuse of privileges and hacking attempts here.
• User Account Logs - User account logs can help in the identification of brute-force password attacks and inappropriate changes in user account privileges.
• Email Logs - Here you will find information that is helpful in the identification of many malicious, unauthorized and undesirable activities. A dramatic increase in inbound email traffic is often the first indicator of an email-based attack. Abnormally large volumes of outbound email traffic can point to a data leakage.
• Application Logs - Will provide information about date, time and identity of client file access. They are a very useful source of information in identifying unauthorized access events as well as fraud and other malicious acts.

Summary

Through a well thought-out and tested network, systems and applications log policy, and the procedures and practices contained within, you will be able to comply with the relevant laws, regulations and standards as well as supporting and improving your organization's bottom line through early detection of errors, fraud, non-compliance penalties and a host of other negatively impacting events.