Key regulatory compliance mandates imposed by HIPAA, SOX, FISMA, PCI, MiFID, Basel II and others require the tracking of access to scoped systems (those containing regulated data). A key question for IT managers becomes ‘what log data should I collect and how to I manage log storage, retrieval and analysis’. IT Ops teams in small to mid-sized companies should also be asking ‘how do I assure compliance without huge expenditures of budget and manpower.
What logs should be collected for compliance?
While the specifics are dependent on the applicable mandate (HIPAA, PCI, etc.) there are common characteristics that will help you meet audit requirements. Generally, the compliance mandate is concerned with your ability to safeguard data such as social security numbers, addresses, logins, credit card numbers, health records, investment plans and banking details. From an IT management perspective, this means we are trying to gather, store and analyze logs that might show actual or attempted scoped data breaches. As example, the following is the recommended Audit Policy for Windows for PCI DSS (Payment Card Industry Data Security Standard).
- Account Logon Events – Success and Failure
- Account Management Events – Success and Failure
- Directory Service Access Events – Failure
- Logon Events – Success and Failure
- Object Access Events – Success and Failure
- Policy Change Events – Success and Failure
- Privilege Use Events - Failure
- System Events – Success and Failure
You should also collect access logs for pertinent non-syslog applications running on scoped servers. It is recommended that you have a centralized logging system or dedicated system acting as the syslog receiver.
How long must the data be retained?
Again, the specifics depend on the standard and you should consult, or enlist the services of, a Qualified Security Auditor (QSA) to determine exact requirements but typically the required retention period is between 1year and 6 years. In the case of PCI the requirement is to store all logs for 1 year but have the last 3 months easily accessible. Keeping things in perspective for the small to mid-sized business, if you have enough storage on the centralized logging server you should then retain all logs from scoped systems for one year. If there isn’t sufficient storage available on the centralized server then maintain the last 3 months and roll anything older and less than 1 year to long term storage.
How do I manage and analyze compliance related logs cost-effectively?
Due to the number and size of the logs generated on Windows networks, it is considered best practice to use higher level Event Log Analyzers to automate aggregation and analysis. IT managers in small to mid-sized businesses should consider solutions that strike a healthy balance between functionality and cost. In considering functionality, be careful not to let feature creep influence you to invest in a tool that ‘can do everything’ when your foreseeable needs only require compliance to regulations. In considering cost be sure to add in the ongoing cost of dedicated headcount that may be needed to configure and maintain the solution.
An event log analyzer should be a key component of your infrastructure strategy. With an event log management solution like Ipswitch Log Management Suite, you can analyze logs, secure your network, reduce risks and liabilities, respond faster to security threats and network outages, and automate the administration of collecting and archiving logs.
>> If you would like to learn how to use log management software to address common security and compliance scenarios that your organization faces check out our on-demand security and compliance webinar with Ipswitch Solutions Engineer, Deb Mattson, who walks through 4 common security use-cases -- including how built-in compliance reporting using our log management software can scan Windows, Syslog or IIS/W3C event logs to allow you to create alerts and reporting on potentially non-compliant activities.