Meeting compliance needs through Windows log management

Rebecca Herold

Log data should also be regularly reviewed and analyzed to enhance overall information security, privacy and availability for each organization. But these two problems consistently creep up within organizations when they create logs to meet regulatory compliance:

• Most Windows administrators do not know the legal requirements for maintaining logs. As a result, the logs are not generated. Or, if they are generated, they are not retained appropriately to meet compliance.

  The following legal requirements set mandates related to log data: The Payment Card Industry Data Security Standard, or PCI DSS, is a widely accepted set of policies and procedures intended to optimize the security of credit, debit and cash card transactions and protect cardholders against misuse of their personal information. The Sarbanes-Oxley Act, often shortened to SOX, sets deadlines for compliance and publishes rules on requirements. SOX defines which records are to be stored and for how long. The Gramm-Leach-Bliley Act regulates the collection and disclosure of private financial information. It stipulates that financial institutions must implement security programs to protect such information. -- Whatis.com

• Most compliance officers, having no IT background, do not realize that an organization's Windows administrators must be provided with documentation that details the logging requirements for compliance. Many mistakenly assume that Windows administrators log everything by default and keep everything indefinitely.

So what's a Windows administrator to do? Well, don't wait for someone from your organization to hand you a nice list of all the specific types of logs you need to keep to meet compliance requirements. Chances are that won't happen.

Instead, know the types of logs that you should establish to meet the requirements of a large cross-section of regulatory obligations. Then have a chat with your information security officer and compliance officer to discuss the feasibility of generating and maintaining these logs.

While you're at it, discuss with them Windows log management procedures that will protect your organization not only from non-compliance fines and penalties but also from security incidents. They provide valuable evidence, too, in case an incident does occur.

It is important to understand that even though data protection regulations have the core goal of protecting personally identifiable information and improving security, the Windows logs that are required are not what most Windows administrators consider as typical "security" logs. Windows server logs often contain security-related information that may not initially appear related to security.

One of the most pressing issues right now for the many organizations that process credit card payments is to comply with the Payment Card Industry Data Security Standard, or PCI DSS. Section 10 of this standard covers the actions required to monitor activities on networks and for accessing cardholder data. Logging the following items will support compliance with these PCI DSS log requirements:

1. Invalid authentication attempts
2. Changes to authentication mechanisms
3. Password changes
4. Administrative activities
5. Access to cardholder data items
6. Invalid access attempts to cardholder data and applications
7. Access to audit logs
8. Modifications to audit logs
9. Clearing audit logs
10. Creating system-level objects
11. Deleting system-level objects
12. The following information for actions attempted for cardholder data access and network access:
    1. User identifier
    
    
    2. Event type
    
    
    3. Date and time
    
    
    4. Success of failure of attempt
    
    
    5. Origination of event
    
    
    6. Resource identity (data file name, system component, application, etc.)
       
13. Clock/time synchronization

PCI DSS requires you to retain these audit logs for at least one year, with a minimum of three months of online availability.

It is important to note that these same audit logs also contribute to compliance for the following regulatory acts:

Compliance with the Sarbanes-Oxley Act -- Section 404, internal control requirements, compels covered entities to maintain logs to demonstrate that they strictly control access, which includes maintaining log data showing physical and logical access, and attempted access, to the network, devices, applications and data. The logs must also be regularly monitored and used to take corrective actions. Logs must be retained to provide documented evidence of these due diligence actions to auditors, as well as to provide data for forensics and as evidence.

By generating these logs, you will be supporting many other laws and regulations. Too many organizations try to address each of their applicable laws one at a time. However, many laws clearly have numerous similar requirements.

Organizations that establish a well-conceived information security program incorporating Windows log management practices that address the risks specific to their organization will simultaneously address a large portion of applicable data protection laws, regulations and standards.

Although it may seem a bit overwhelming, keep in mind that just about every organization can implement a Windows log management system to streamline compliance activities. A Windows log management system also helps to reduce the resources necessary to respond to what could be a large number of requests from IT, information security, privacy and audits for specific types of Windows log data.

Rebecca Herold, CISSP, CISA, CISM, CIPP, FLMI, has more than 17 years of experience in IT, information security, privacy and compliance. She is owner and principal of Rebecca Herold LLC. She is an adjunct professor for the Norwich University Master of Science in Information Assurance program and is writing her 11th book. Her articles can be found at www.privacyguidance.com and www.realtime-itcompliance.com.

Rate this Tip To rate tips, you must be a member of SearchWinIT.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.