Audit Log Best Practices For Information Security

Published August 16, 2018 by 4 min read

You’ve set up a monitoring program and security controls, but now you need to create an audit log to prove to an auditor that you’re ensuring data security. With attackers consistently finding new ways to penetrate your perimeter, data breach numbers continue to rise. Creating an audit trail to prove your security stance requires you to document, document, and document some more.

Auditing & Logging in Information Security

What is an audit log?

Auditors need proof of your controls, control monitoring, and event information. The audit log is the document that records the information about resources accessed including destination addresses, source addresses, timestamps, and user login information.

What information should be in an audit log?

Audit logs create records that help you track access to your environment. Therefore, a complete audit log needs to include, at a minimum:

  • User IDs
  • Date and time records for when Users log on and off the system
  • Terminal ID
  • Access to systems, applications, and data – whether successful or not
  • Files accessed
  • Networks access
  • System configuration changes
  • System utility usage
  • Exceptions
  • Security-related events such as triggered alarms
  • Protection system notifications (i.e. intrusion detection or anti-malware notifications)

What is an audit log used for?

According to the Open Web Application Security Project (OWASP), audit logs track activities impacting the environment, trace the activities location so must remain secure to maintain data integrity.

Audits

An audit log, also called an audit trail, provides the chronological record of an event. When an auditor comes to review your compliance for certification purposes, she uses the audit log to check for abnormalities or noncompliance. For example, your information security procedures may require you to update an operating system within 30 days of a patch being released. An intrusion arising out of a late update to the operating system shows noncompliance.

General Debugging and Business Continuity

Audit logs enable your security team to reconstruct events after a problem occurs. The documentation provides your security administrator with the information needed to recover rapidly from an intrusion.

Forensics Evidence

If a data breach leads to a lawsuit, your audit log can be evidence to show appropriate event management.

Threat Detection

Reviewing audit logs regularly can help provide insight into abnormal behavior if you connect them to real-time tracking systems.

SOC Reporting

As a vendor, your audit logs prove your security accountability and help comply with legal and corporate vendor management requirements.

What are some challenges of log management?

The National Institute of Standards and Technology (NIST) lists several common issues with log management. These challenges often arise from having too many log sources that lead to inconsistencies with content, timestamps, and formats. Moreover, many organizations have a hard time protecting logs as they meet data retention requirements. Finally, reviewing and analyzing logs to find the relevant data prove time-consuming, which means the process often becomes a low-priority task.

What are five best practices for audit logging?

Protect the Logs Using a Fail Safe Configuration

Logs contain legally protected sensitive data. Although they track your security stance, you need to ensure malicious actors cannot gain access to them. NIST recommends that organizations create and maintain a secure log management infrastructure.

When setting configurations for your audit logging system, you want to use a “fail safe” not a “fail open.” A fail open option may appear beneficial because it continues to operate no matter what happens. Organizations use this configuration when access matters more than authentication. However, audit logging focuses on access control logging. Therefore, you want to use a fail safe which protects other system components by including an external bypass switch device. Your IT staff can proactively activate or deactivate the switch to remove it from the network temporarily for updates.

Ensure Integrity

Prioritizing log management across the organization enables data integrity from within. Once you establish goals aligned with applicable laws and regulations, you can create internal policies that focus on retention and monitoring that reduce risk.

Digital records need to maintain integrity from tampering. External threats to your environment can be mitigated by firewalls, but you also need to make sure that internal actors cannot change the logs. Two ways to protect the data integrity are using complete replicas or read-only files.

Find a Dual Purpose Audit Logging Program

Establishing policies and procedures for logging standards and guidelines helps you to more efficiently incorporate log monitoring across the enterprise. However,  audit logs provide you with two types of information. First, they allow you to track access to the system. Second, they enable continuous monitoring for continuous compliance. To streamline your overall compliance process, a dual purposes audit logging program can reduce time spent on monitoring while increasing security and compliance.

Provide Resources to Manage Responsibilities

The more systems that organizations use to manage their business processes, the more information their log management staff needs to review. You need to make sure that you not only hire the appropriate number of employees to review access logs but also the tools that make this an efficient process. Resources can include technical guidance, sharing information with staff, training staff, and providing tools or tool documentation.

How ZenGRC Eases Best Practices For Audit Log Management

ZenGRC’s system-of-record enables organizations to store all their information in a single location. Collecting all your audit log information in a single place allows you to manage audit information and document your compliance activities.

With a single source of information, your audit logging staff can communicate efficiently with one another. Our role-based authentications enable audit log security and integrity since only the people who need access can interact with the information.

Finally, our system-of-record enables your audit log review staff to trace outstanding tasks without emails. This capability not only makes communication easier but protects the data by keeping it within our protected platform rather than insecure emails.

Managing audit information in a single location helps you detect real time risks and prove continuous monitoring by documenting all your ongoing compliance activities.

For more information about how ZenGRC eases the burden of audit log management and analysis, contact ZenGRC to schedule a demo.

Learn how we can fit into your business.

Schedule a demo to learn how we can help guide your organization to confidence in infosec risk and compliance.

Help us get to know you.

Get a demo