« Join Us & The Reymann Group | Tuesday Nov 8, 11.am PSTam | Main | Logs Need Attention Too! »
Steps for preserving the integrity of log data
NOVEMBER 03, 2005 (COMPUTERWORLD) - In the past few years, companies have spent billions of dollars to update their IT infrastructures to meet requirements from various government regulations such as Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act.
One of the more noticeable and most important recommendations of these regulations is record-keeping. For example, Sarbanes-Oxley recommends that all companies "maintain financial records for seven years." In order to ensure the accuracy of corporate financial and business information, this recommendation also pertains to records that are used to "audit unauthorized access, misuse and fraud." Other regulations such as HIPAA also recommend keeping records for up to six years.
Altered log data prohibits court admissibility
The integrity of information is crucial when submitting evidence to the court. Just like crime-scene evidence, which prosecutors must prove hasn't been tampered with, electronic data submitted to the court must adhere to the same stringent requirements. As such, log data generated by the IT infrastructure also has to be archived in its original and unaltered format.
Reports generated from the logs are usually insufficient to convince the other side (defense or prosecution) that they haven't been tampered with. Lawyers from either side may question the accuracy of the reports and will want to perform their own analyses. For example, if you claim that someone has sent out data from the Sarbanes-Oxley-related financial servers, how do you substantiate that claim? Tampered data can't be used as evidence to prove your claim. In these scenarios, unaltered logs have to be provided.
In addition to the unaltered logs, evidence may be needed to prove that the logs weren't tampered with. Some companies have chosen to digitally sign the log files collected and then keep the digital signatures at a location separate from the logs. Others have chosen to store logs on WORM (write once, read many) drives such as CD-ROM/DVD-ROM or storage devices such as EMC Corp.'s Centera. Both processes ensure that tampering of logs can be detected or prevented.
But why would the court or the auditors trust the archived unaltered logs? Auditors are always looking to see whether the log data can be tampered with or modified at any point during the collection process. Was the transport encrypted over the WAN to ensure confidentiality? Were the logs signed during transmission to ensure integrity? What programs or processes handled these logs during the collection process? Are these programs or processes clearly documented to ensure that no fake data was injected into the stream? Were any users involved during this collection process?
This is where clear and detailed documentation on the collection process is required. The process of how logs are handled from the point where logs are generated to where logs are archived -- and everything in between -- must be clearly documented to prove that the log collection process is reliable and secure and that no data was tampered with. The documentation process should include details such as the encryption or digital signature algorithms used during transmission, the likelihood of data loss during the collection process, any manual process that required human intervention and users who touched any of the logs,
Long retention periods allow timely investigation
Even though there's no explicit regulatory requirement that companies must keep all log data for the full recommended time period, many experts agree that for Sarbanes-Oxley or HIPAA compliance, unaltered logs should be kept online for at least 12 months. However, your auditors or your corporate policy may require a longer retention period. If you don't already have a corporate information retention policy, create one now.
Having an online archive of log data allows timely investigations and also provides long-term reporting for the auditors. Many security investigations, especially those involving security policy or acceptable-use violations, may require mining of logs as far back as 12 months to ensure that no details are missing. Without the log data online, the investigations will take much longer, since the IT administrators would have to restore logs from off-line backup, such as tapes.
Regarding financial auditing, the auditors may also want to go back several quarters to look at the financial results. In order to prove the integrity of the financial data, related log data might be required to prove that there was no unauthorized or inappropriate access during those periods.
The importance of keeping unaltered logs for evidence, whether for the court, the auditors or human resources, can't be underestimated. It should be one of the most critical requirements when building your compliance infrastructure.
Jian Zhen, CISM, CISSP, is the director of product management at LogLogic.
Posted November 05, 2005 in Compliance | Permalink
TrackBack
TrackBack URL for this entry:
http://www.loglogic.com/mt/mt-tb.cgi/18
November 2007
| Sun | Mon | Tue | Wed | Thu | Fri | Sat |
|---|---|---|---|---|---|---|
| 1 | 2 | 3 | ||||
| 4 | 5 | 6 | 7 | 8 | 9 | 10 |
| 11 | 12 | 13 | 14 | 15 | 16 | 17 |
| 18 | 19 | 20 | 21 | 22 | 23 | 24 |
| 25 | 26 | 27 | 28 | 29 | 30 |
Categories
Archives
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- February 2007
- January 2007
- December 2006
- November 2006
- October 2006
- September 2006
- August 2006
- July 2006
- June 2006
- May 2006
- April 2006
- March 2006
- February 2006
- January 2006
- December 2005
- November 2005
- October 2005
- September 2005