Audit Logs Best Practices for Security
Audit logs are key to monitoring for unauthorized activities, insider threats, and issues that may be affecting system performance.
The effective management of security events, along with corresponding incident investigations, is nearly impossible to accomplish if organizations do not have appropriate audit logging in place. This monitoring, as well as audit logs, is the focus of pitfall #51 in my eBook, Security Program Pitfalls and Prescription to Avoid Them.
Audit logs should be generated that record user activities, exceptions, and security events. Logs should be kept for an agreed period to assist in future investigations, including access control monitoring. Auditable event types should be specified along with the frequency of, or situation requiring, auditing for each identified event. The list of events that are audited or tracked by your organization needs to be documented. Security personnel should have the ability to select or modify the types of events that are audited by information systems. Systems that process protected, or otherwise sensitive, information should create a secure audit record each time a user accesses, creates, updates, or archives sensitive or protected information via information systems.
The clocks of all relevant information systems within your organization or individual security domain should be synchronized with an agreed, accurate time source to support the tracing and reconstitution of activity timelines. System clocks should be accurate to within two to four seconds; the fewer the better. Internal information system clocks should synchronize daily and at system startup to one or more authoritative time sources when the time difference is greater than four seconds.
Audits logs should be retained in a manner that ensures they are immediately available to security personnel for the previous ninety days. Audits log information older than ninety days should be archived for at least nine months to provide a combined twelve months of records to support after the fact security investigations. Systems that store logs should have adequate storage space for the logs that are generated. Audit records should be reviewed and analyzed on an organization- defined frequency for indications of inappropriate or unusual activity. Any findings from these reviews should be reported to appropriate security personnel.
To learn more about this pitfall, and 99 more, get my book: 100 Security Program Pitfalls and Prescriptions to Avoid Them (available on Amazon here). Or register for a demo of the ASCENT Security and Compliance Portal and get a free synopsis of the 100 Security Program Pitfalls eBook today.