To comply with the multitude of legal requirements that regulate electronic data, virtually all organizations must configure their Windows servers to generate log data. By establishing a comprehensive Windows log management program based upon monitoring items that reveal risks, organizations will actually be meeting compliance requirements for a number of laws, regulations and standards in one fell swoop.
Log data should also be regularly reviewed and analyzed to enhance overall information security, privacy and availability for each organization. But these two problems consistently creep up within organizations when they create logs to meet regulatory compliance:
Most Windows administrators do not know the legal requirements for maintaining logs. As a result, the logs are not generated. Or, if they are generated, they are not retained appropriately to meet compliance.
Most compliance officers, having no IT background, do not realize that an organization's Windows administrators must be provided with documentation that details the logging requirements for compliance. Many mistakenly assume that Windows administrators log everything by default and keep everything indefinitely.
So what's a Windows administrator to do? Well, don't wait for someone from your organization to hand you a nice list of all the specific types of logs you need to keep to meet compliance requirements. Chances are
Instead, know the types of logs that you should establish to meet the requirements of a large cross-section of regulatory obligations. Then have a chat with your information security officer and compliance officer to discuss the feasibility of generating and maintaining these logs.
While you're at it, discuss with them Windows log management procedures that will protect your organization not only from non-compliance fines and penalties but also from security incidents. They provide valuable evidence, too, in case an incident does occur.
It is important to understand that even though data protection regulations have the core goal of protecting personally identifiable information and improving security, the Windows logs that are required are not what most Windows administrators consider as typical "security" logs. Windows server logs often contain security-related information that may not initially appear related to security.
One of the most pressing issues right now for the many organizations that process credit card payments is to comply with the Payment Card Industry Data Security Standard, or PCI DSS. Section 10 of this standard covers the actions required to monitor activities on networks and for accessing cardholder data. Logging the following items will support compliance with these PCI DSS log requirements:
- Invalid authentication attempts
- Changes to authentication mechanisms
- Password changes
- Administrative activities
- Access to cardholder data items
- Invalid access attempts to cardholder data and applications
- Access to audit logs
- Modifications to audit logs
- Clearing audit logs
- Creating system-level objects
- Deleting system-level objects
- The following information for actions attempted for cardholder data access and network access:
- User identifier
- Event type
- Date and time
- Success of failure of attempt
- Origination of event
- Resource identity (data file name, system component, application, etc.)
- Clock/time synchronization
PCI DSS requires you to retain these audit logs for at least one year, with a minimum of three months of online availability.
It is important to note that these same audit logs also contribute to compliance for the following regulatory acts:
Security rule compliance of the Health Insurance Portability and Accountability Act -- requires that covered entities, or the organizations to which the law applies, implement procedures to generate and regularly review information system activity records, audit logs, access reports and security incidents. Login attempts must also be generated based upon the risk to the organization.
Safeguards rule compliance of the Gramm-Leach-Bliley Act -- requires covered entities to identify internal and external risks to the security, confidentiality and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromises of such information. This should include detecting, preventing and responding to attacks, intrusions or other systems failures through the use of log records.
Compliance with the Sarbanes-Oxley Act -- Section 404, internal control requirements, compels covered entities to maintain logs to demonstrate that they strictly control access, which includes maintaining log data showing physical and logical access, and attempted access, to the network, devices, applications and data. The logs must also be regularly monitored and used to take corrective actions. Logs must be retained to provide documented evidence of these due diligence actions to auditors, as well as to provide data for forensics and as evidence.
By generating these logs, you will be supporting many other laws and regulations. Too many organizations try to address each of their applicable laws one at a time. However, many laws clearly have numerous similar requirements.
Organizations that establish a well-conceived information security program incorporating Windows log management practices that address the risks specific to their organization will simultaneously address a large portion of applicable data protection laws, regulations and standards.
Although it may seem a bit overwhelming, keep in mind that just about every organization can implement a Windows log management system to streamline compliance activities. A Windows log management system also helps to reduce the resources necessary to respond to what could be a large number of requests from IT, information security, privacy and audits for specific types of Windows log data.
Rebecca Herold, CISSP, CISA, CISM, CIPP, FLMI, has more than 17 years of experience in IT, information security, privacy and compliance. She is owner and principal of Rebecca Herold LLC. She is an adjunct professor for the Norwich University Master of Science in Information Assurance program and is writing her 11th book. Her articles can be found at www.privacyguidance.com and www.realtime-itcompliance.com.
This was first published in March 2008