Facing The Monster: The Labors Of Log Management - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Healthcare // Analytics
06:45 PM

Facing The Monster: The Labors Of Log Management

As the compliance beast seems to grow before your eyes, managing logs is even more important -- and no less complex. But technology isn't the only answer to easing this burden. Seek legal advice and sharpen your business strategies as well.

The legal requirements around log management may make you feel like you're battling the Hydra -- solve one problem, two more pop up in its place. Analyzing and aggregating the incessant streams of information created by computer and network logs has always been a difficult, thankless task, but now it's taking on epic proportions because of regulatory compliance.

However, looking at the technology as the first step in the process of solving log management problems is putting the cart before the horse. Vendors may sing the siren call of easy answers, promising plug-and-play products -- and later on we'll look at a selection of log management apps -- but it's a "buyer beware" marketplace. Vendors often charge substantial add-on license fees to address particular regulations or industries. Also, keep in mind that the ability to generate a particular type of report doesn't mean you've met legal requirements. In spite of vendor promises, technology alone will not address regulatory demands. IT must work in concert with executive management and legal advisers to make sure they're correctly handling the often-sensitive data generated on networks. Getting a jump on your log management practices, understanding security controls, and including legal counsel in the process will keep your company from crashing on the rocks of regulatory compliance.

InformationWeek Reports

There are numerous regulatory requirements, but the HIPAA Security Rule, the Payment Card Industry Data Security Standard, and the Gramm-Leach-Bliley Act Safeguards Rule present specific examples that apply to a wide variety of businesses. Even if your business isn't directly regulated, a general trend surrounding information security law could still mandate logging. Specifically, there's an emerging requirement to provide "reasonable security" for information in businesses that collect, maintain, and/or process data. This duty is especially pronounced when dealing with personally identifiable information. In fact, several states implement this legal requirement with respect to personally identifiable information as part of their data-breach notification statutes. Basically, if you handle such information, there's a good chance you are legally obligated to log and analyze relevant security and system events, because logging and log auditing are essential to nearly any information security program.

As part of HIPAA, the Department of Health and Human Services must undertake rule-making procedures for disseminating specific regulations required by the act. One of these, the HIPAA Security Rule, became effective in April 2003 and sets forth detailed requirements related to IT security. The rule contains two sections addressing logging requirements. First, as part of the administrative safeguards section, the rule requires businesses to implement "hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information." Second, the technical safeguards section requires "implementation of procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports."

In 1999, President Clinton signed into law the Gramm-Leach-Bliley Act, which required various federal agencies to issue regulations to flesh out its provisions. The GLB Safeguards Rule, issued by the Federal Trade Commission, creates security standards for financial institutions falling under the FTC's jurisdiction that handle "customer information"; these include data processors, retailers extending credit cards to consumers, and mortgage brokers. The definition of "customer information" is expansive, including any nonpublic information about customers, whether in electronic or hard-copy format.

The rule is broad and flexible, permitting standards to evolve over time in conjunction with security technologies and industry practices. Finally, it does include an implicit requirement for logging and log analysis, calling for a risk assessment that addresses "[d]etecting, preventing, and responding to attacks, intrusions, or other system failures."

The FTC has been fairly active in enforcing the Safeguards Rule and has publicly stated that it will continue to pursue data security cases. Although the complaints and consent decrees in these cases haven't tended to specifically call out logging, the practice is so central to any information security program that companies should be sure to address relevant risks related to logging.

The most recent version of the PCI Data Security Standard (DSS) was released in 2006 and requires companies processing or storing credit or debit card information, including merchants, to comply with and be certified against detailed data security requirements. Much more detailed than the HIPAA or GLB rules, DSS Requirement 10 sets forth specific requirements, including which kinds of events must be logged, the specific details of each audit entry, and network time synchronization among logging components. Moreover, DSS requires daily review of logs, including those from intrusion-detection and authentication services.

Questions To Ask About Log Management
Issue Questions
Risk Management Is a robust and ongoing risk management function driving your log management strategy?
Information Security Plan Does your organization have a written and periodically updated information security plan that includes the log management infrastructure and surrounding policies and procedures? Is it followed?
Privacy Have you addressed legal privacy issues, including those imposed on you by non-U.S. jurisdictions regarding the collection and use of personal information that may be contained in your log management system?
Data Retention/Destruction Does your organization have retention and destruction policies related to the different kinds of logs collected in your log management solution?
E-Discovery Do all of the relevant policies, procedures, and practices address the most important e-discovery issues relevant to your organization?
Data Breach Notification Does your log management system enable improved response to breaches of personally identifiable information that may trigger data breach notification requirements?

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 3
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Becoming a Self-Taught Cybersecurity Pro
Jessica Davis, Senior Editor, Enterprise Apps,  6/9/2021
Ancestry's DevOps Strategy to Control Its CI/CD Pipeline
Joao-Pierre S. Ruth, Senior Writer,  6/4/2021
IT Leadership: 10 Ways to Unleash Enterprise Innovation
Lisa Morgan, Freelance Writer,  6/8/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll