I want to continue the discussion I started yesterday.
Is there a difference between “log management” and a “log management system”?
Yes!
What is that difference?  In a word: SCOPE
In my blog posting yesterday I provided a definition for what is typically considered as a system not only within most businesses, but also as defined by PCI DSS.
First let’s go through a “fun” little exercise…  🙂
- A home is not the same as a the home’s burglar alarm system
- The game of basketball is not the same as the basketball scoreboard
- With regard to traffic, freeway management is not the same as a freeway management system
In each of these three examples, the second item listed is a subset of the first item; a home burglar system supports a home, but does not define the entirety of the home, which is, of course, so much more; a basketball scoreboard supports playing the game of basketball, but by itself does not represent the game of basketball; a freeway management system helps to monitor traffic flow and identify problems, but does not, in and of itself, represent all the variables and realtime issues involved with freeway traffic.
Okay, if these examples may seem a bit too facetious, from an auditor view and a practitioner view, then, consider…
- Human Resources (HR) is not synonymous to an HR system used to manage employee benefits, timecards and paychecks
- Accounting is not synonymous with an accounting system used to more efficiently keep track of data
- Building management is not synonymous with a building management system
- Order/purchasing management is not synonymous with an order/purchasing management system
- Customer Relationship Management (CRM) is not synonymous to a CRM application and database
- The HIPAA regulations are not the same as the HIPAA Security Rule Technical requirements
Again, in each example, the second item on each line is a subset of the first item.
An auditor views the phrases “log management” and “log management system” much differently!
If I was asked to audit log management at a company, or a company’s log management program, the scope would be much larger than if I did an audit of the log management system.
The log management program audit would include review of the technology system in addition to the log management policies, procedures, documentation, personnel capabilities and job descriptions, training practices and requirements, enforcement of policies and procedures, backup and recovery of the associated data, retention issues, physical access to all involved components within the log management program, and all other critically important human operational, physical and administrative considerations that would fall outside of auditing just the system…the technology…itself.
An information security practitioner also views the phrases “log management” and “log management system” much differently!
If an information security practitioner was asked to build a log management program, s/he would typically do a risk analysis to determine the most appropriate log management policies, log management standards, areas for which logs need to be created, the associated staffing it will take to manage review, interpretation and response to what the logs communicate, the most appropriate log management systems and technologies to use to support the necessary logs, procedures for the staff to follow to consistently create, interpret and react to the logs, the budget issues related to sufficiently supporting the log management program, the training necessary to ensure staff understand and follow the policies, standards and procedures, the disaster recovery and business continuity requirements for the different types of logs based upon their business impact, the retention requirements for the different types of logs, and all other operational, administrative and physical security issues.
If an information security practitioner was asked to build a log management SYSTEM, then it is likely the log management program already exists (if not, it should).  S/he would look at the log management program to determine the characteristics that will be necessary within the log management system to best meet the organization’s needs.  S/he would look as such things as compatibility with existing systems and applications, storage capacity, data item logging capabilities, user interfaces, speed, dependability, configurability, cost, and all other issues specifically related to the technology systems being considered.
Unfortunately I have seen this confusion more than once throughout the years.  Too many organizations, when hearing they must establish an information security program, a log management program, a virus control program, a BCP program, and so on, think that all they need to do is buy a “system,” install it, and VIOLA!  Everything will be hunky dory.
However, the downfall of many organizations is having this belief that only a purchased system is necessary, and not having a well-thought-out comprehensive program that is composed of not only systems to support the program, but also the very critically important policies, procedures, well-trained and qualified personnel, knowledge of legal and contractual requirements, support from business executives, the ability to communicate well and effectively to all their business unit leaders, and so on.
So, yes, “log management” means so very much more than what “log management system” means.
Tags: Anton Chuvakin, awareness and training, certify, compliant, HIPAA, Information Security, IT compliance, log management, PCI DSS, policies and procedures, QSA, risk management, security awareness, security training