Log management and ISO 27001

Transcription

1 Log management and ISO Rakesh Maheshwari STQC Directorate Department of Information Technology Ministry of Communications & IT

2 Log management Log management is the process of generating, analyzing, and storing logs. Organizations which develop best practices in log management will get timely analysis of their security profile for security operations, ensure that logs are kept in sufficient detail for the appropriate period of time to meet audit and compliance requirements, and have reliable evidence for use in investigations. Ver 1.0 ISO and Log Management 2

3 Why should we discuss ISO Reference IT Act Notification dtd 11th April, 2011 G.S.R. 313(E) : Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, Para 8 deals with Reasonable Security Practices and Procedures and states that if an organisation have implemented such security practices and standards and have a comprehensive documented information security programme and information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of business then this organisation in a way complies with reasonable security practices and procedures. In the event of an information security breach, the organisation shall be required to demonstrate, that they have implemented security control measures as per their documented information security programme and information security policies. It further states that IS/ISO/IEC is one such standard. Ver 1.0 ISO and Log Management 3

4 ISO/ IEC : 2005 A specification (specifies requirements for implementing, operating, monitoring, reviewing, maintaining & improving a documented ISMS) Specifies the requirements of implementing of Security control, customised to the needs of individual organisation or part thereof. Used as a basis for certification Ver 1.0 ISO and Log Management

5 ISO requirements Requirements contained in the ISMS framework (Sections 4-8) ISMS control requirements (Annexure A) Ver 1.0 ISO and Log Management 5

6 ISMS control requirements - Annexure A : Control objectives & controls A.5 Security Policy A.6 Organization of Information Security A.7 Asset Management A.8 Human A.9 Physical & A.10 Communications A.12 Info. Systems Resources environmental & operations Acquisition Security security management development & A.11 Access control A.13 Information Security Incident Management A.14 Business Continuity Management A.15 Compliance maintenance Ver 1.0 ISO and Log Management

7 ISMS process framework requirements : Clause Information Security Management System 4.2 Establishing and managing g the ISMS 4.3 Documentation requirements Document Control Plan Record Control 5. Management Responsibility 6. Internal ISMS Audits 7. Management Review of the ISMS Check Do 8. ISMS Improvements Act Ver 1.0 ISO and Log Management

8 Log management Requirements as stated in ISO 27001

9 Communications and Operations ISO/IEC 27001:2005 Comments Full llcontrol Objective dedicated di d to logs. 9

10 Communications and Operations Mgmt ISO/IEC 27001:2005 Comments Objectives of this control is to ensure correct and secure operation of information processing facilities. A Doer and the approver will be different. A centralised Sys Log services are recommended. 10

11 Communications and Operations Mgmt ISO/IEC 27001: Comments System Planning and acceptance reduces the risk of system failure. 11

12 Communications and Operations Mgmt ISO/IEC 27001: Comments Logs of Virus detected and outbreak Incident provides sufficient information about the effectiveness of the Antivirus on Systems and gateway. 12

13 Human Resource Security ISO/IEC 27001:

14 Physical and Environmental Security ISO/IEC 27001:

15 Access Control ISO/IEC 27001: Comments Verification of User Creation, Rights grant and removal of rights from logs. 15

16 Incident management ISO/IEC 27001: Comments Information obtained from analysis of various logs provides information about the security events and weakness. 16

17 Incident management ISO/IEC 27001:2005 Comments Recording of fincidents by analyzing the logs. 17

18 Compliance ISO/IEC 27001:

19 Clause: Framework Part ISO/IEC 27001: Comments Measurement of effectiveness of controls : eg To check the effectiveness of IPS, logs of the webserver can be seen; It will provide information about effectiveness of IPS. 19

20 Clause: Framework Part ISO/IEC 27001: Comments 20

21 Clause: Framework Part ISO/IEC 27001: Comments 21

22 Clause: Framework Part ISO/IEC 27001: Comments 22

23 Clause: Framework Part ISO/IEC 27001: Comments 23

24 Information Lifecycle and Log Management Information Life Cycle Information can be : Created Stored Destroyed d? Processed Transmitted Copied Used (for proper and improper purposes) Lost! Corrupted! 24

25 Log Management Policies, Procedures and Technology Policies provide management direction for the log management activities and should clearly define mandatory requirements for log generation, analysis, retention ti and storage and security. They should be created in conjunction with a plan for the procedures and technology that are needed to implement and maintain the policies. A comprehensive set of best practices in log management includes the following categories: Log management policy, procedures and technology Log generation Log retention and storage Log analysis Log protection and security Ver 1.0 ISO and Log Management 25

26 The Need for Best Practices in Log Management Businesses face a number of challenges that make best practices in log management an essential part of an overall enterprise IT security strategy: The huge number and variety of systems generating logs The volume of logged data The changing threat landscape The more stringent regulatory requirements The increasing number of stakeholders The uncertainties of future regulatory and legal issues Ver 1.0 ISO and Log Management 26

27 Why do Logs Matter for Security and Compliance? Without sufficient collection, regular review and long-term retention of logs, g,your organization will not be in compliance with regulations nor able to properly protect its information assets. Logs provide a way to monitor your systems and keep a record of security events, information access and user activities. In some cases, event logging may have to be barred because of privacy reasons Ver 1.0 ISO and Log Management 27

28 Summary ISO implementation requires a well conceived Log management Policies, Procedures and Technology Most of the controls and framework requirements requirement a proper Log management. Control through Logs is predominantly a detective and a deterrence control. An well planned and executed Log management can help in effective implementation ti of ISMS. Ver 1.0 ISO and Log Management 28

29 Ver 1.0 ISO and Log Management 29