The routine analysis and review of security logs benefits organizations by identifying fraudulent activity, operational problems, policy violations, and security incidents, as well as provides the necessary information to help resolve these problems. Logs can also be useful for establishing baseline activity, exposing long-term problems, performing auditing and forensic analysis, and tracking operation trends.
Besides the inherent benefits of log management, recently enacted regulations have compelled organizations to store and review logs on a regular basis. Some key regulations and their log management requirements include:
- Federal Information Security Management Act of 2002 (FISMA)—FISMA emphasizes the need for United States federal agencies to develop, document, and implement organization-wide programs to provide information security for the computer systems that support their assets and operations. NIST SP 800-53, Recommended Security Controls for Federal Information Systems [PDF], the primary source of recommended controls for federal agencies, describes several controls related to log management, including the generation, review, protection, and retention of audit records
- Gramm-Leach-Bliley Act (GLBA)—GLBA requires financial institutions to protect their customers’ information against security threats. Log management can be helpful in identifying possible security violations and resolving them effectively
- Health Insurance Portability and Accountability Act of 1996 (HIPAA)—HIPAA includes security standards for certain health information. NIST SP 800-66, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule [PDF], lists HIPAA-related log management needs. For example, Section 4.1 of NIST SP 800-66 describes the need to perform regular reviews of audit logs and access reports. Also, Section 4.22 specifies that documentation of actions and activities need to be retained for at least six years
- Sarbanes-Oxley Act (SOX) of 2002—Although SOX applies primarily to financial and accounting principles, it also encompasses the IT functions that support these practices. SOX can be supported by reviewing logs regularly to looks for signs of security violations, including exploitation, as well as retaining logs and records of log reviews for future review by auditors
- Payment Card Industry Data Security Standard (PCI DSS)—PCI DSS applies to organizations that process, store, or transmit cardholder data for credit cards. One of the requirements of PCI DSS is to track all access to network resources and cardholder data
Source: Guide to Computer Security Log Management [PDF] Karen Kent and Murugiah Souppaya, United States National Institute of Standards and Technology, Gaithersburg, Maryland, September 2006.