How do logs need to be handled? Do I need to retain them? Do I need to be able to prove their integrity? Do you have any advice for the best way to go about it?

    Requires Free Membership to View

With the handling of logs, it is important to understand why you are keeping them. Some examples might be:

  1. For troubleshooting issues.
  2. For investigating security incidents.
  3. For use in employee disciplinary procedures.
  4. As a formal corporate record.
  5. For use in a court of law.

In general, the handling requirements get more stringent as you go down the above list. So, let's go through the list and review how to manage logs in these scenarios:

For troubleshooting issues: Keep the logs for a couple of weeks, retaining logs if there are particular issues to look at.

For investigating security incidents: Again, keep the logs for a short period (a month say). A key problem to sort out, though, is consistent time stamping to ensure that logs from different devices match up.

For use in employee disciplinary procedures: Keep the logs for about six months. The logs should be reasonably protected, (e.g only certain persons being allowed access) archived off periodically and stored appropriately.

As a formal corporate record: Normal advice here is to keep the logs for six years. Again, logs should be reasonably protected as above, archived off periodically and stored appropriately. The ability to read the archives should be checked.

For use in a court of law: You need to meet the evidential requirements. This can be done physically and procedurally, but will end up with your computers bagged up and tagged, or hard disks imaged etc. Any computer system that needs to routinely maintain records to this level of evidence really needs the right mechanisms and controls designed in from the start.

On top of all that, if your logs contain personal information, you'll need to consider both Data Protection Act issues and European Human Rights Act privacy requirements.

This was first published in October 2009

 

COMMENTS powered by Disqus  //  Commenting policy