Log Management Compliance Applications

Compliance has become one of the greatest challenges – and opportunities — facing businesses and IT departments in the 21st century. Following a wave of financial scandals, network attacks, and highly publicized cases of lost or stolen personal records, regulators and governments around the world responded with a bevy of regulations designed to ensure that companies take full responsibility for the control, monitoring and security of their business processes.

Many regulatory and industry frameworks are very specific in mandating log management and intelligence. Requirements differ, but typically require collection of log data from sources spanning the network and application tiers, daily review of log records and up to seven years of audit trail retention. Other regulations mandate things that are impossible to accomplish without logging, such as control auditing and monitoring.

Log management is also recognized as an important compensating control, where more stringent preventative measures are not feasible or cost-effective and it provides evidence that many other controls are working properly. Automating log management with LogLogic significantly reduces the time it takes to prepare for and complete internal and external audits and it prevents, in many cases, a secondary audit. It also enables that elusive “continuous compliance” that follows the spirit of many of today’s regulations.

Mandates and Frameworks

PCI

The Payment Card Industry Data Security Standard (PCI Standard) is a comprehensive, detailed, and recurring program to provide for cardholder security. It applies to all those involved in handling credit card transactions, and incorporates 12 basic requirements designed to secure and protect cardholder data from unauthorized access. Log management is specifically mandated in requirement 10 “log access to audit trails”. PCI specifies which logs must be collected, reviewed on a daily basis and retained for one year with a minimum of 3 months on-line access. Logs must be protected to avoid un-authorized modification. Section 10.2 of PCI requires: “implementation of automated audit trails to monitor all user access to cardholder data (special focus is given to administration and root access, 10.2.2).” Log management is also used to evidence most other requirements including identity and access management, firewall protection, anti-malware, encryption and security measures outlined in the requirements. Learn more about the LogLogic PCI Compliance Suite »

SOX

The Sarbanes-Oxley Act (SOX) is arguably the most well known of all recent regulatory changes impacting enterprises of all kinds. Ultimately, the determination of which and how many controls constitute an effective internal control environment is made and evaluated by management and agreed to with the external auditor. Sarbanes-Oxley implies regular audits of log files and keeping a record of audit logs for up to seven years: “Audit unauthorized access, misuse and fraud, in order to ensure the accuracy of corporate financial and business information” and “maintain financial records for seven years.” In addition the SOX law specifically recommends the COBIT control framework, which in turn makes strong recommendation to implement log management. Learn more about the LogLogic SOX Compliance Suite »

HIPAA

The Health Information Portability and Accountability Act (HIPAA) provides for the security and privacy of patient records and applies to Protected Health Information (PHI) in all forms (oral, written, and electronic). HIPAA requires organizations to “audit and monitor system and user activity across the entire network, identify and investigate security breaches and suspicious behavior, and maintain an audit trail of user and network activity,” they also specify companies should “Retain and protect log data as evidence … up to 6 years.” Log-in monitoring and audit controls are mandated in such sections as 164.308(a)(5)(ii)(C) – Audit Controls, 164.312(b) – Login monitoring and 164.312(a)(2)(iii) – Automatic Log-off as well as others. Learn more about the LogLogic HIPAA Compliance Suite »

FISMA

The Federal Information Security Management Act (FISMA) requires federal agencies to develop, document, and implement agency-wide programs to secure data and information systems supporting agency operations and assets, including those managed by other agencies or contractors. FISMA has an impact on federal agencies, state, local, and tribal governments, as well as private sector organizations composing the critical infrastructure of the United States. Detailed FISMA guidance is provided in NIST documents NIST 800-53, NIST 800-61 and NIST 800-92. For example, NIST 800-52 specifically requires log management in AU 2/3 where it specifies auditable events and the content of audit records.  The rest of the AU controls expand the requirements with specific guidelines for audit monitoring and reporting. Log data can also be used to evidence that other FISMA requirements have been met, such as rules in account and access enforcement (AC 2/3/6/7/13) and configuration change control (CM 3/4). Learn more about the LogLogic FISMA Compliance Suite »

ITIL

The IT Infrastructure Library (ITIL) is a process-oriented IT control framework for service management organizations. Developed in the late 1980s by the United Kingdom’s government, this framework has been widely adopted and is now the most accepted and used IT service management best practices approach in the world.  The latest version of ITIL, version 3, specifically mandates log management as part of problem management and Identity & Access Management and requires periodic review of user activity. Learn more about the LogLogic ITIL Compliance Suite »

ISO

ISO 17799 is recognized as an international information security standard that provided information management security recommendations to those who are responsible for security in their organization. ISO standards, when compared with current controls, enable organizations to proactively identify weaknesses and threats before the auditor does. The ISO standard specifically mandates audit logging in section 10.10.1, but also mandates monitoring of system use in section 10.10.2 and monitoring of administrative and operator activity in section 10.10.4. In addition, log data can evidence that many other measures are implemented properly, such as identity management (8.8.3, timely removal of access rights) and change management (10.1.2). Learn more about the LogLogic ISO Compliance Suite »

COBIT

COBIT is the IT Governance Institute’s IT governance and control framework, most frequently used to help achieve Sarbanes-Oxley Act compliance, but also ensuring security and availability of IT assets in general. Log management requirements permeate all four sections of the COBIT 4 framework. For example, log records evidence that job change and termination controls (PO7.8) have been implemented correctly. Log records also provide change and configuration audit (AI6.1), user activity audits (DS 5.3 and 5.4) and can evidence that network security measures are working properly (DS 5.10). Learn more about the LogLogic COBIT Compliance Suite »

NERC

The North America Electric Reliability Council (NERC) has created Critical Infrastructure Protection standards, used to bulk electric systems. The NERC CIP standards, CIP-002-1 through CIP-009-1, refer to log and audit data in many places. Perhaps most specifically in CIP-007 R6, where it requires reports and alerts for security status monitoring. CIP005 R3 also requirements monitoring of electronic access and logging access to access points. In addition, log data can evidence that many other NERC standard requirements have been properly implemented such as CIP003 R6 on change and configuration management, CIP007 R2 and R4 on ports and services and malicious software and CIP007 R5 on identity and account management.

Learn more

• Download your free white paper, “10 Steps to Continuous Compliance” PDF