Facing The Monster: The Labors Of Log Management

As the compliance beast seems to grow before your eyes, managing logs is even more important -- and no less complex. But technology isn't the only answer to easing this burden. Seek legal advice and sharpen your business strategies as well.
Regulatory requirements related to information security, including log management, will continue to increase. Coordinating your log management vendor selection and implementation by involving the appropriate legal advisers within your organization will help ensure a wise choice.

Keep in mind there are plenty of vendors ready and willing to help you, such as log aggregation and correlation vendors, but sorting through the hype can be daunting. Security information or event management (SIM/SEM) products are also available, generally providing more advanced security-oriented features such as integrating data asset classification or vulnerability assessment information.

Although you may be able to justify the procurement of an enterprise-wide log management system on IT security-related grounds alone, we advise taking a deep breath and stepping back to look at the whole picture before you make purchasing decisions.

Determining Security Controls: What To Consider
The ability to determine whether a particular set of security controls appropriately satisfies a regulatory requirement often requires a comprehensive understanding of the entire environment, including agency enforcement dynamics, regulatory interpretation, as well as legal and business issues. Without answering these questions, your selected log management decisions are only a best guess as far as regulatory compliance is concerned. Some things to consider:

Agency enforcement dynamics: What kinds of complaints has the agency charged with enforcement brought in the past? Against which kind of organizations? Engaging in what kind of violation? Also, what signals is the agency providing through public or private statements regarding the future direction of its enforcement efforts?

Interpretation of the regulation: Although its written in English, understanding what a particular provision actually means from a legal standpoint may require much more than comprehending the words on the page. Often, further research is required, incorporating documents and agency commentary from the rule-making process as well as other interpretive materials provided by the agency.

Legal precedent: How has the relevant law or regulation been interpreted by courts during litigation? What trends are emerging, and are there issues peculiar to a jurisdiction that are relevant to the company?

Business issues: What is the nature of the business and its IT environment? Are certain compliance strategies more easily implemented, or are some simply impossible, given these background facts?

The vast majority of states now have data-breach notification laws that require companies and state agencies to notify affected people whose personally identifiable information has been acquired by an unauthorized individual. In the case of a data breach, developing a robust log management process can be helpful in quickly responding to an incident in which such information may have been exposed. Several critical questions must be answered, a process where effective log management can assist. For example:

Which specific data elements were acquired by the attacker? The notification statutes are triggered only when specific data elements are acquired (for example, first and last name combined with Social Security number). Therefore, if you know exactly which database elements were compromised, you can assess whether you need to notify.

Whose records were acquired? Only those affected need to be notified, and being able to confidently minimize this number of people may help businesses decrease the number of states in which notification is required, thereby reducing the legal costs and risks.

Did one or more security controls (such as a data leak-prevention system) defend against an attempted acquisition of personally identifiable information, thus allowing the organization to make the legal conclusion that there was no likelihood of harm (an exception available in some states)?

Further Reading
Title Author / Organization
NIST Computer Security Incident Handling Guide
(Special Publication 800-61)
[Section 3: Handling and Incident]
National Institute of Standards and Commerce, Computer Security Division
NIST Guide to Computer Security Log Management
(Special Publication 800-92)
National Institute of Standards and Commerce, Computer Security Division
Director Responsibility for Data Security: Key Questions the Board Should Ask Thomas J. Smedinghoff, Wildman, Harrold, Allen & Dixon
FFIEC IT Examination Handbook
["Security Monitoring" Section]
Federal Financial Institutions Examination Council
BS ISO/IEC 17799 Information Technology - Security Techniques - Code of Practice for Information Security Management
[Section 10.10: "Monitoring"]
International Organization for Standardization / International Electrotechnical Commission

Patrick R. Mueller, J.D., CISSP, is an associate in the Privacy and Data Security Practices at the law firm of Wildman, Harrold, Allen & Dixon in Chicago. He can be reached at [email protected] or

Return to the story:
Rollout: Prism EventTracker Log Management System

Find out more on logs and the legal system, including a collection of log manager reviews, in our Special Report.