Threat Level: green Handler on Duty: Bojan Zdrnja

SANS ISC: Event Logging Requirements SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Event Logging Requirements
I'm a tech writer working on InfoSec policy documentation. In the country where I reside, the Government's requirement for data log retention is that companies retain log file data for seven years. There is a classification of what kinds of data to log, specifically those involving changes to network configuration, failed log in attempts, logins to sensitive data, etc. Even so, the requirements seem pretty onerous in terms of data storage - keeping 7 years of event log data would demand a pretty huge amount of storage, let alone storing it in such a way that it is navigable.

What's the feeling in the InfoSec community about how to deal with these requirements? Do companies actually have to follow the letter of the law or can they get away with less?
Circadian

7 Posts
Hi,
Seven years looks very long just for "network configuration changes" and "failed logins". Where do you reside?
A long retention policy does not mean that *ALL* collected events must remain online. You can split your data across multiple media types and move them from one to another in the future. Ex: SSD -> SATA -> DVD
Those DVD can be stored offline in a safe.
Xme

537 Posts
ISC Handler
Well, don't want to give too much away, but Australia ;-)

Although since writing this thread I have done a bit more research, I think my client might have been operating under a misconception - he thought the requirement was to keep logs of ALL data going through the firewalls but I think he's misread the requirement. When I looked into it, it says that logs have to be kept for only particular kinds of events e.g. privileged operations, successful and failed elevation of privileges etc. So I think the proposed data logging analysis application that they're getting allows you to scan for and retain logs for those kinds of event types, which I think satisfies the requirements. Although, it is true that the data logs have to be kept for 7 years. (This is all out of the Australian Govt. Information Security Manual).
Circadian

7 Posts
Indeed such events won't require too much storage space. Keep in mind that 7y is a very long retention period and your customer must be careful about data migration between reliable supports and data must remain readable (to be stored in an open format). Xme

537 Posts
ISC Handler
I've found the clause in the Information Security Manual that was being referred to when I first posted this thread. It's here http://www.asd.gov.au/publications/Information_Security_Manual_2016_Controls.pdf
on page 261:

"Agencies must ensure that all gateways connecting networks in different security domains are operated and maintained in such a way that they:

• log network traffic attempting to leave the gateway
• are configured to save event logs to a separate secure log server"

So, client seems to think that the first of these two requirements is what is going to produce very large amounts of log data, which then have to be saved for 7 years. It seems a very broad requirement.
Circadian

7 Posts

Sign Up for Free or Log In to start participating in the conversation!