How to manage logs

RELATED CONTENT Compliance Regulation and Standard Requirements PCI DSS requirements still baffling as compliance deadline approaches Make PCI DSS compliance easier by reducing scope, outsourcing data Cloud computing compliance: Exploring data security in the cloud Encryption basics: How asymmetric and symmetric encryption works SIEM systems streamline compliance processes, offer security benefits No major PCI DSS revision expected in 2010 PCI QSAs, certifications to get new scrutiny Tips to achieve PCI compliance PCI DSS requirements: Get ready for stricter enforcement, fines Data Protection Act breach could cost companies 500,000 pounds Network Security Monitoring: Tools and Systems Scapy tutorial: How to use Scapy to test Snort rules How to use Google Webmaster tools to help protect your site New Community Security Policy aims to reduce computer misuse SIEM systems streamline compliance processes, offer security benefits How to set your baseline with host integrity monitoring software Thin-client technologies surge thanks to easier security, says Deloitte Network discovery and the Simple Network Management Protocol Finding the best log management product for your organisation How to maintain network control plane security Conficker-infected machines now number 7 million, Shadowserver finds Information security governance and risk management Will physical security integrators work with IT departments? How to write an information security policy Credit card data protection (over the phone) What are best practices for credit cards in a call centre? Complying with the UK Data Protection Act of 1998 How to achieve laptop data security

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Basel II  (SearchSecurityUK.com) Code of Connection (CoCo)  (SearchSecurityUK.com) EU Data Protection Directive  (SearchSecurityUK.com) Financial Services Authority  (SearchSecurityUK.com) IFRS (International Financial Reporting Standards)  (SearchSecurityUK.com) UK Identity Cards Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

EXPERT RESPONSE FROM: Neil O'Connor Pose a Question Other Security UK Categories Meet all Security UK Experts Become an Expert for this site

ANSWERED October 2009:
With the handling of logs, it is important to understand why you are keeping them. Some examples might be:

1. For troubleshooting issues.
2. For investigating security incidents.
3. For use in employee disciplinary procedures.
4. As a formal corporate record.
5. For use in a court of law.

In general, the handling requirements get more stringent as you go down the above list. So, let's go through the list and review how to manage logs in these scenarios:

For troubleshooting issues: Keep the logs for a couple of weeks, retaining logs if there are particular issues to look at.

For investigating security incidents: Again, keep the logs for a short period (a month say). A key problem to sort out, though, is consistent time stamping to ensure that logs from different devices match up.

For use in employee disciplinary procedures: Keep the logs for about six months. The logs should be reasonably protected, (e.g only certain persons being allowed access) archived off periodically and stored appropriately.

As a formal corporate record: Normal advice here is to keep the logs for six years. Again, logs should be reasonably protected as above, archived off periodically and stored appropriately. The ability to read the archives should be checked.

For use in a court of law: You need to meet the evidential requirements. This can be done physically and procedurally, but will end up with your computers bagged up and tagged, or hard disks imaged etc. Any computer system that needs to routinely maintain records to this level of evidence really needs the right mechanisms and controls designed in from the start.

On top of all that, if your logs contain personal information, you'll need to consider both Data Protection Act issues and European Human Rights Act privacy requirements.