Cyber Security Institute

Monday, July 16, 2007

Log management in the age of compliance

Organizations are turning to logs to provide a continuous trail of everything that happens with their IT systems and, more importantly, with their data.  If a disgruntled employee with an intent to steal data accesses a database containing confidential information, there would likely be a log of that activity that someone could review to determine the who, what and when.  Routine log reviews and in-depth analysis of stored logs are beneficial for identifying security incidents, policy violations, fraudulent activity and operational problems shortly after they have occurred, as well as for providing information useful for resolving such problems.  Given the inherent benefits of log management, it is not surprising that log data collection and analysis is generally considered a security industry “best practice.”  Some of these regulations rely on National Institute of Standards and Technology Computer Security Special Publications (NIST SP) to delineate the detailed logging requirements.

While many criticize FISMA for being all documentation and no action, the law simply emphasizes the need for each federal agency to develop, document and implement an organizationwide program to secure the information systems that support its operations and assets.  NIST SP 800-53, Recommended Security Controls for Federal Information Systems, describes log management controls including the generation, review, protection and retention of audit records, plus steps to take in the event of audit failure.  It describes the need for log management in federal agencies and ways to establish and maintain successful and efficient log management infrastructures—including log generation, analysis, storage and monitoring.

NIST 800-92 discusses the importance of analyzing different kinds of logs from different sources and of clearly defining specific roles and responsibilities of those teams and individuals involved in log management.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) outlines relevant security standards for health information.

NIST SP 800-66, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act Security Rule, details log management requirements for the securing of electronic protected health information.

The Payment Card Industry Data Security Standard (PCI-DSS), which applies to organizations that handle credit card transactions, mandates logging specific details and log review procedures to prevent credit card fraud, hacking and other related problems in companies that store, process or transmit credit card data.

Logs, which by nature allow for tracking IT infrastructure activity, are the best way to assess if, how, when and where a data breach has occurred.  The major effect the age of compliance has had on log management is to turn it into a requirement rather than just a recommendation, and this change is certainly to the advantage of any organization subject to these regulations.  It is easy to see why log collection and management is important, and the explicit inclusion of log management activities in major regulations like FISMA, HIPAA and PCI-DSS highlights how key it truly is to enterprise security as well as broader risk management needs.

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9027080