The legal requirements around log management may make you feel like you're battling the Hydra -- solve one problem, two more pop up in its place. Analyzing and aggregating the incessant streams of information created by computer and network logs has always been a difficult, thankless task, but now it's taking on epic proportions because of regulatory compliance.
However, looking at the technology as the first step in the process of solving log management problems is putting the cart before the horse. Vendors may sing the siren call of easy answers, promising plug-and-play products -- and later on we'll look at a selection of log management apps -- but it's a "buyer beware" marketplace. Vendors often charge substantial add-on license fees to address particular regulations or industries. Also, keep in mind that the ability to generate a particular type of report doesn't mean you've met legal requirements. In spite of vendor promises, technology alone will not address regulatory demands. IT must work in concert with executive management and legal advisers to make sure they're correctly handling the often-sensitive data generated on networks. Getting a jump on your log management practices, understanding security controls, and including legal counsel in the process will keep your company from crashing on the rocks of regulatory compliance.
KNOW YOUR OPPONENT
There are numerous regulatory requirements, but the HIPAA Security Rule, the Payment Card Industry Data Security Standard, and the Gramm-Leach-Bliley Act Safeguards Rule present specific examples that apply to a wide variety of businesses. Even if your business isn't directly regulated, a general trend surrounding information security law could still mandate logging. Specifically, there's an emerging requirement to provide "reasonable security" for information in businesses that collect, maintain, and/or process data. This duty is especially pronounced when dealing with personally identifiable information. In fact, several states implement this legal requirement with respect to personally identifiable information as part of their data-breach notification statutes. Basically, if you handle such information, there's a good chance you are legally obligated to log and analyze relevant security and system events, because logging and log auditing are essential to nearly any information security program.
As part of HIPAA, the Department of Health and Human Services must undertake rule-making procedures for disseminating specific regulations required by the act. One of these, the HIPAA Security Rule, became effective in April 2003 and sets forth detailed requirements related to IT security. The rule contains two sections addressing logging requirements. First, as part of the administrative safeguards section, the rule requires businesses to implement "hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information." Second, the technical safeguards section requires "implementation of procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports."
In 1999, President Clinton signed into law the Gramm-Leach-Bliley Act, which required various federal agencies to issue regulations to flesh out its provisions. The GLB Safeguards Rule, issued by the Federal Trade Commission, creates security standards for financial institutions falling under the FTC's jurisdiction that handle "customer information"; these include data processors, retailers extending credit cards to consumers, and mortgage brokers. The definition of "customer information" is expansive, including any nonpublic information about customers, whether in electronic or hard-copy format.
The rule is broad and flexible, permitting standards to evolve over time in conjunction with security technologies and industry practices. Finally, it does include an implicit requirement for logging and log analysis, calling for a risk assessment that addresses "[d]etecting, preventing, and responding to attacks, intrusions, or other system failures."
The FTC has been fairly active in enforcing the Safeguards Rule and has publicly stated that it will continue to pursue data security cases. Although the complaints and consent decrees in these cases haven't tended to specifically call out logging, the practice is so central to any information security program that companies should be sure to address relevant risks related to logging.
The most recent version of the PCI Data Security Standard (DSS) was released in 2006 and requires companies processing or storing credit or debit card information, including merchants, to comply with and be certified against detailed data security requirements. Much more detailed than the HIPAA or GLB rules, DSS Requirement 10 sets forth specific requirements, including which kinds of events must be logged, the specific details of each audit entry, and network time synchronization among logging components. Moreover, DSS requires daily review of logs, including those from intrusion-detection and authentication services.
|Questions To Ask About Log Management|
|Risk Management||Is a robust and ongoing risk management function driving your log management strategy?|
|Information Security Plan||Does your organization have a written and periodically updated information security plan that includes the log management infrastructure and surrounding policies and procedures? Is it followed?|
|Privacy||Have you addressed legal privacy issues, including those imposed on you by non-U.S. jurisdictions regarding the collection and use of personal information that may be contained in your log management system?|
|Data Retention/Destruction||Does your organization have retention and destruction policies related to the different kinds of logs collected in your log management solution?|
|E-Discovery||Do all of the relevant policies, procedures, and practices address the most important e-discovery issues relevant to your organization?|
|Data Breach Notification||Does your log management system enable improved response to breaches of personally identifiable information that may trigger data breach notification requirements?|