Smart Business Leaders Support Effective Log Management Practices and Necessary Resources

The second article in this month’s IT Compliance in Realtime Journal is, “Smart Business Leaders Support Log Management.”
I wrote this with an audience of information security and privacy personnel, along with IT managers, in mind.
Download the formatted PDF version to get the full content, not to mention a nicer looking document.
Here is the unformatted version…

Many Laws, Regulations, and Standards Require Logs
To comply with a multitude of current laws, regulations, and standards, virtually all organizations must generate logs of some type, consistently follow documented procedures to review and analyze the logs, react to anomalies, and retain the logs appropriately.
Just a few of the laws, regulations, and standards that require logging include:

  • Sarbanes-Oxley (SOX) Act
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Gramm-Leach-Bliley Act (GLBA)
  • Payment Card Industry (PCI) Data Security Standard (DSS)
  • Federal Information Security Management Act (FISMA)
  • Canada’s Personal Information Protection and Electronic Data Act (PIPEDA)
  • EU Data Protection Directive
  • California SB 1386 and most of the other at least 39 state-level (including D.C.) breach notice laws

The log data should be regularly reviewed and analyzed not only to meet compliance requirements but also to enhance overall information security, privacy, and availability for the business. Consistent, regular log review and analysis will reveal many types of activities that could be negatively impacting business, such as policy violations, errors in application processing, operational problems, fraud, and security incidents, just to name a few.
Unified Compliance
Many laws and regulations are supported by generating logs. Too many organizations try to address each of their applicable laws one at a time. However, many laws have numerous similar requirements. Organizations that establish a well-thought-out information security program that incorporates practices that address the risks specific to their organization will at the same time address a large portion of applicable data protection laws, regulations, and standards.
By establishing a comprehensive log management program based upon monitoring items that reveal risks, organizations will actually be meeting compliance requirements for multiple laws, regulations, and standards in one fell swoop.
One of the most pressing compliance issues right now for the many organizations that process credit card payments is PCI DSS compliance. Section 10 of this standard covers the actions required to monitor activities on networks and access to cardholder data. It is important to note that these same audit logs also contribute to compliance for many other laws and regulations. Some of the activities organizations need to log for PCI DSS compliance include:

  • Invalid authentication attempts
  • Changes to authentication mechanisms
  • Password changes
  • Administrative activities
  • Access to cardholder data items
  • Invalid access attempts to cardholder data and applications
  • Access to audit logs
  • Modifications to audit logs
  • Clearing audit logs
  • Creating system-level objects
  • Deleting system-level objects
  • The following information for actions attempted for cardholder data access and network access:
  • User identifier
  • Event type
  • Date and time
  • Success of failure of attempt
  • Origination of event
  • Modifications to resource identity, such as data file name, system component, application, and so on
  • Clock/time synchronization

Although NIST 800-92, Guide to Computer Security Log Management, was primarily created to simplify FISMA compliance, it is a great resource for all types of organizations. It describes the need for log management and ways to establish and maintain successful and efficient log management infrastructures, including log generation, analysis, storage, and monitoring. Get it at
How Logs Support Business
These logs will not only help your organization be in compliance with a long list of laws, regulations, and standards, but also to support and improve your business by catching errors, fraud, and a variety of other things that have a negative impact on your business.
For example:

  • Logs from network devices such as switches and wireless access points can identify when hackers are trying to gain access to your valuable business information.
  • Logs from applications can show who was accessing client files, along with the time and date of access. They can provide an indication that some of your authorized users are attempting fraud or other malicious acts as well as the evidence necessary to prove criminal actions.
  • Logs can provide network user account information, showing successful and failed authentication attempts, account changes, and use, as well as misuse, of privileges. User account logs can identify brute-force password attacks and inappropriate changes in user account privileges.

Email logs can reveal dramatic increases in incoming email activity that might indicate a new email threat. Email logs showing abnormally large outbound email messages can point to data leakage of sensitive and valuable business information.
Common Log Management Problems
I consistently see two problems organizations have with regard to creating logs that meet compliance requirements:

  • Most of the IT personnel responsible for administration and maintenance do not know the legal requirements for maintaining logs. As a result, the logs are not generated, or if generated are not retained appropriately, to meet compliance.
  • Most compliance officers, having no IT background, do not realize that their IT personnel must be provided with documentation that details the logging requirements for compliance. Many mistakenly assume the IT folks log everything by default and keep the logs indefinitely.

IT leaders cannot wait for someone from within the organization to hand them a listing of all the specific types of logs that are necessary to meet compliance requirements; chances are that will not happen. Business leaders cannot assume that IT personnel know the logs necessary to support compliance.
IT leaders need to know the types of logs that will meet the requirements of a very large cross-section of regulatory requirements, then meet with the information security officer and compliance and/or privacy officer to discuss the feasibility of generating and maintaining these logs.
Business leaders must support and participate in these discussions. During discussions, the IT, information security, privacy, and compliance leaders should discuss the procedures and tools that are necessary to protect the organization from non-compliance fines and penalties and security incidents as well as to provide important evidence that will be needed in the event an incident does occur.
Bottom Line: Business Leaders Must Support Log Management
The bottom line is that network, systems, and application logs are valuable to the business. In addition to being a requirement of a long list of laws, regulations, and standards, log generation and sound management practices have proven over and over again to truly be a “best” practice used by forward-thinking and exemplary business leaders. It is incumbent upon business leaders to support and provide the resources for appropriate log management practices throughout the enterprise.
Let me know your feedback!

Tags: , , , , , , , , ,

Leave a Reply