Generally accepted security auditing and logging practices should be adhered to ensure that the policies and procedures regarding compliance with the implementation specifications of certain standards and regulations (e.g. HIPAA, PCI, ISO 27001, HITRUST) are being met. Auditing and logging is an essential part of the information security program.
What is the purpose of an audit trail?
The purpose of auditing and logging is to record and examine activity in information systems that affect information assets. This includes any hardware, software, or procedural controls in place to track such activity as modifying information assets including protected health information within information systems.
Why is an audit trail important?
Based on the risk assessment and other business needs, security auditing and event logging of information systems should be supported by input from different departments across the entire organization. Among these are failed logins, multiple system authentication, and suspicious after-hours login behavior, to name a few. Documentation should be kept as to the rationale behind the list of events chosen to adequately support an investigation of a breach or incident.
What should be logged?
Auditing records should, at a minimum, detail the unique user ID, unique data subject ID, function performed, type of event, the date and time of an event, the possible identity of the subject of the event, and the information that may have been affected by the event. Logging activity should capture the creation, review, modification, or deletion of identified information. The success/failure of the event, the account involved, and the processes involved should be tracked as part of the audit record for privileged users.
In addition, the execution of privileged functions on information systems should be audited and logged. Information systems should be configured to prevent non-privileged users from executing privileged functions. The activities of privileged users (administrators, operators, etc.) include the success/failure of the event, time the event occurred, the account involved, the processes involved, and additional information about the event. Proper logging should be enabled in order to audit administrator activities; and reviews system administrator and operator logs on a regular basis.
How often should security logs be reviewed?
Security logs should be reviewed regularly depending on your security objectives and compliance requirements. PCI DSS requirement 10.6.1 says that you must review security logs daily.
Adequate auditing and logging control mechanisms should be reasonably implemented to record and examine activity in information systems that contain or utilize information assets including protected health information. The purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance with auditing and accountability requirements should be addressed. The implementation of auditing, logging, and accountability requirements/controls should be facilitated.
Audit logs should be maintained for management activities, system and application startup/shutdown/errors, file changes, and security policy changes. Perimeter devices should additionally log packet denials. An intrusion detection system should be managed outside of the control of system and network administrators used to monitor system and network administration activities for compliance.
How long should audit logs be kept?
Audit records should be retained in accordance with the organization’s data retention policy. Some standards and regulations require that the records be retained for ninety (90) days and archived for one (1) year (e.g. PCI DSS).
Security auditing and logging will always be available while the system is active and tracks key events, success/failed data access, system security configuration changes, privileged or utility use, any alarms raised, activation and de-activation of protection systems (e.g., A/V and IDS), and identification and authentication mechanisms, and creation and deletion of system-level objects. Logs of messages sent and received should be maintained including the date, time, origin and destination of the message, but not its contents.
Information systems auditing tools (e.g. software or data files) should be separated from development and operational systems and not held in tape libraries or user areas. Access to information system audit tools should be documented and enforced per a formal procedure, restricted to authorized individuals only, and approved by designated system owners; and the use of these tools are only authorized after receiving permission from system owners as part of a documented assessment process.
Access to system audit tools and audit trails should be protected and controlled to prevent unauthorized access and use. Authorized access and unauthorized access attempts to the audit systems and audit trails should be logged and protected from modification. File integrity monitoring or change detection should be employed on audit logs, and responses to any alert generated should take place.
Logs for external-facing technologies (e.g., wireless, firewalls, DNS) should be written/stored on a log server located on the internal network. Audit logs should be archived and digitally signed on a periodic basis.
Audit Trail Security Best Practices
- Audit trails should be secured so they cannot be altered in any way.
- Limit viewing of audit trails to those with a job-related need.
- Protect audit trail files from unauthorized modifications.
- Promptly back-up audit trail files to a centralized log server or media that is difficult to alter.
- Copy logs for wireless networks onto a log server on the internal LAN.
- Use file integrity monitoring/change detection software (such as Tripwire) on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert).
For more information and details on how we can help, contact us today!
