Mapping of Log Management With Various Global Compliances | Lucideus Research
Introduction
Information security is playing a vital role in today’s era. As the business is growing and every new day new risks are emerging, it is difficult to identify and deal with these new risks. The idea of this blog is to determine the requirements of logs from various compliances that can help the organization to follow the single methodology, which is inline for complying with different compliances.
Information Security Compliances
Information security is all about preserving confidentiality, Integrity, and Availability of the information. Many International standards, legal and Regulatory requirements are developed for securing the Information. These regulations include but are not limited to:
Health Insurance Portability and Accountability Act (HIPAA), The Sarbanes Oxley Act, Federal Information Security Management Act (FISMA), Payment Card Industry Data Security Standard (PCI-DSS), Reserve bank Of India Guidelines, ISO 27001:2013 Information Security Management System (ISMS) and other country-specific regulatory requirements.
In this blog, we have tried to map 2 standard and 1 regulation.
- Payment Card Industry Data Security Standard (PCI-DSS)
- Reserve Bank Of India Guidelines
- ISO 27001:2013 Information Security Management System (ISMS).
We will cover other standard and regulation in the upcoming Blogs.
Log management
Log management is a combined process used for generation, analyzing, evaluation, retention, archival, encryption during archival and secure disposal of logs. In the Information system every event generates a log, and for the organization, it is complicated to analyze each record as many of times log file are informational (covering only the happening events) but some time logs do provide critical security-related information that can help in the investigation and forensic activities.
Log Management requirement in compliances
Log files are essential for identifying the events, attacks, etc. The organization implements log Monitoring or Security Incident Event Monitoring (SIEM) Solution in their organization for analysis, evaluation, and storage of logs. If these solutions are configured as per the requirement (i.e., retention, storage, transfer, archival, etc.) specified in the standard, legislation or regulations, i.e., HIPAA, SOX, FISMA, PCI-DSS, ISO 27001:2013, then by following these requirements the organization can get compiled with several compliances.
Information security compliances deal with the same requirement of log management in one or the other way. PCI-DSS v3.2 Requirement 10 “Track and monitor all access to network resources and cardholder data” states about the monitoring and logging of every event. ISO 27001:2013 Annexure Clause No. 9, 12 and 16 tells about the review, collection, retention, and analysis of logs.
Nowadays advance security solutions has made information security compliance reporting much more relaxed, as they directly provide the compliance specific report and their maturity score.
Implementation of Log Management solution in “ABC Bank” covering relevant Information Security Compliances
An Indian Bank (ABC) was growing fast and realized that the complexity in their operations would increase the risk of non-compliance with several standards such as ISO 27001:2013, PCI DSS, RBI Guidelines, etc. The Company has to implement Log monitoring solution but require the systematic and standard approach that help the organization to comply with other security standards as well.
All the Compliance states the four (4) necessary part of logging that are Log Generation, Log Analysis, Log Retention, Log Disposal. These are related to any events that are happening in the system like the Login/Logout, File modification, Error generation logs, etc. that can help the organization in the investigation.
Many organizations only maintain and retains the system and server logs files, but if organizations cover other requirements that are specified in different standards, the organization can readily get complied with other security Compliance without much effort. As these security compliance do not mandate any particular techniques to be used, but they only specify the way, methodology and the duration of the collection, maintenance, retention, forwarding of these files.
Clauses of Standard
ISO/IEC 27001:2013 “Information technology-Security, techniques-Information security management systems-Requirements,” is a Standard that includes the organization structure, policies, procedure, frameworks, guidelines, and responsibilities. ISO 27001 is a standard that fits all organization either small or significant and only deals with securing the Information and Information Assets. It helps the organization to establish and maintain ISMS and used to manage information security risk and to preserve CIA of an information and Information asset.
ISO 27001:2013 Annexure A have below requirements for Logging and Monitoring and reporting of security events
Clauses/Control Requirement
A.6.2.2 - Teleworking
A.9.1.2 - Access to network and network services
A.8.3.2 - Data Disposal
A.9.2.1 - User registration and deregistration
A.12.3.1 - Information backup
A.12.4 - Logging and Monitoring
A.12.4.1 - Event logging
A.12.4.2 - Protection of Log information
A.12.4.3 - Administrator and operator log
A.12.4.4 - Clock synchronization
A.12.5.1 - Installation of software on the operational system
A.16.1.2 - Reporting information security events
A.16.1.3 - Reporting information security weakness
A.16.1.4 - Assessment of and decision on information security incident
Payment card Industry Data Security Standard is the standard mandates several policies and procedures for protecting cardholder data against misuse of their personal information. The Standard has 6 objective and 12 Requirements that deals with the storing, encrypting, maintain the cardholder data and protecting it from an unauthorized user. Recently RBI has mandated the use of PCI DSS for the organization which collects, retain the cardholder data.
Clauses/Control Requirement
Requirement 10: Track and monitor all access to network resources and cardholder data
CL.10.1 - Implement audit trails to link all access to system components to each individual user.
CL.10.2 - Implement automated audit trails for all system components to reconstruct the following events:
CL.10.2.1 - All individual user accesses to cardholder data
CL.10.2.2 - All actions taken by any individual with root or administrative privileges
CL.10.2.3 - Access to all audit trails
CL.10.2.4 - Invalid logical access attempts
CL.10.2.5 - Use of and changes to identification and authentication mechanisms
CL.10.2.6 - Initialization, stopping or pausing of the audit logs
CL.10.2.7 - Creation and deletion of system-level objects
CL.10.3 - Record at least the following audit trail entries for all system components for each event - User Identification, Type of event, date and time success or failure indication, the origination of event, Identity of affected data.
CL.10.4 - Using Time Synchronization
CL.10.5 - Secure audit trails so they cannot be altered.
CL.10.5.1 - Limit viewing of audit trails to those with a job-related need.
CL.10.5.2 - Protect audit trail files from unauthorized modifications.
CL.10.5.3 - Promptly back up audit trail files to a centralized log server
CL.10.5.4 - Write logs for external-facing technologies
CL.10.5.5 - Use file-integrity monitoring or change-detection software on logs
CL.10.6 - Review logs and security events for all system components.
CL.10.6.1 - Review of logs - Security Events, critical system, IDS/IPS
CL.10.6.2 - Review logs of all other system components periodically
CL.10.7 - Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis.
RBI cybersecurity Guidelines is the guidelines mandated by Reserve bank of India for all the Indian banks. The Bank has to follow the security requirement specified in the guideline, and that will help in ensuring the security of customer information/data in the cyber world. This guideline works on 3 approaches Proactive, Continuous and Reactive that an organization has to follow before implementation.
Clauses/Control Requirement Annexure 1
CL.4 - Network Management and Security
CL.5 - Secure Configuration
CL.6 - Application Security Lifecycle
CL.7 - Patch/Vulnerability and Change management
CL.8 - User Access Control
CL.12 - Removable Media
CL.13 - Advanced Real-time Threat Defence and Management
CL.16 - Maintenance, Monitoring, and Analysis of Audit Logs
CL.17 - Audit Log settings
Standard Requirement Mapping
Figure:- Log management Requirement
