Log management and ISO 27001 Rakesh Maheshwari STQC Directorate Department of Information Technology Ministry of Communications & IT rakesh@mit.gov.in
Log management Log management is the process of generating, analyzing, and storing logs. Organizations which develop best practices in log management will get timely analysis of their security profile for security operations, ensure that logs are kept in sufficient detail for the appropriate period of time to meet audit and compliance requirements, and have reliable evidence for use in investigations. Ver 1.0 ISO 27001 and Log Management 2
Why should we discuss ISO 27001 Reference IT Act Notification dtd 11th April, 2011 G.S.R. 313(E) : Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011. Para 8 deals with Reasonable Security Practices and Procedures and states that if an organisation have implemented such security practices and standards and have a comprehensive documented information security programme and information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of business then this organisation in a way complies with reasonable security practices and procedures. In the event of an information security breach, the organisation shall be required to demonstrate, that they have implemented security control measures as per their documented information security programme and information security policies. It further states that IS/ISO/IEC 27001 is one such standard. Ver 1.0 ISO 27001 and Log Management 3
ISO/ IEC 27001 : 2005 A specification (specifies requirements for implementing, operating, monitoring, reviewing, maintaining & improving a documented ISMS) Specifies the requirements of implementing of Security control, customised to the needs of individual organisation or part thereof. Used as a basis for certification Ver 1.0 ISO 27001 and Log Management
ISO 27001 requirements Requirements contained in the ISMS framework (Sections 4-8) ISMS control requirements (Annexure A) Ver 1.0 ISO 27001 and Log Management 5
ISMS control requirements - Annexure A : Control objectives & controls A.5 Security Policy A.6 Organization of Information Security A.7 Asset Management A.8 Human A.9 Physical & A.10 Communications A.12 Info. Systems Resources environmental & operations Acquisition Security security management development & A.11 Access control A.13 Information Security Incident Management A.14 Business Continuity Management A.15 Compliance maintenance Ver 1.0 ISO 27001 and Log Management
ISMS process framework requirements : Clause 4-8 4. Information Security Management System 4.2 Establishing and managing g the ISMS 4.3 Documentation requirements Document Control Plan Record Control 5. Management Responsibility 6. Internal ISMS Audits 7. Management Review of the ISMS Check Do 8. ISMS Improvements Act Ver 1.0 ISO 27001 and Log Management
Log management Requirements as stated in ISO 27001
Communications and Operations ISO/IEC 27001:2005 Comments Full llcontrol Objective dedicated di d to logs. 9
Communications and Operations Mgmt ISO/IEC 27001:2005 Comments Objectives of this control is to ensure correct and secure operation of information processing facilities. A10.1.3 Doer and the approver will be different. A centralised Sys Log services are recommended. 10
Communications and Operations Mgmt ISO/IEC 27001:20052005 Comments System Planning and acceptance reduces the risk of system failure. 11
Communications and Operations Mgmt ISO/IEC 27001:20052005 Comments Logs of Virus detected and outbreak Incident provides sufficient information about the effectiveness of the Antivirus on Systems and Email gateway. 12
Human Resource Security ISO/IEC 27001:2005 13
Physical and Environmental Security ISO/IEC 27001:20052005 14
Access Control ISO/IEC 27001:20052005 Comments Verification of User Creation, Rights grant and removal of rights from logs. 15
Incident management ISO/IEC 27001:20052005 Comments Information obtained from analysis of various logs provides information about the security events and weakness. 16
Incident management ISO/IEC 27001:2005 Comments Recording of fincidents by analyzing the logs. 17
Compliance ISO/IEC 27001:20052005 18
Clause: Framework Part ISO/IEC 27001:20052005 Comments Measurement of effectiveness of controls : eg To check the effectiveness of IPS, logs of the webserver can be seen; It will provide information about effectiveness of IPS. 19
Clause: Framework Part ISO/IEC 27001:20052005 Comments 20
Clause: Framework Part ISO/IEC 27001:20052005 Comments 21
Clause: Framework Part ISO/IEC 27001:20052005 Comments 22
Clause: Framework Part ISO/IEC 27001:20052005 Comments 23
Information Lifecycle and Log Management Information Life Cycle Information can be : Created Stored Destroyed d? Processed Transmitted Copied Used (for proper and improper purposes) Lost! Corrupted! 24
Log Management Policies, Procedures and Technology Policies provide management direction for the log management activities and should clearly define mandatory requirements for log generation, analysis, retention ti and storage and security. They should be created in conjunction with a plan for the procedures and technology that are needed to implement and maintain the policies. A comprehensive set of best practices in log management includes the following categories: Log management policy, procedures and technology Log generation Log retention and storage Log analysis Log protection and security Ver 1.0 ISO 27001 and Log Management 25
The Need for Best Practices in Log Management Businesses face a number of challenges that make best practices in log management an essential part of an overall enterprise IT security strategy: The huge number and variety of systems generating logs The volume of logged data The changing threat landscape The more stringent regulatory requirements The increasing number of stakeholders The uncertainties of future regulatory and legal issues Ver 1.0 ISO 27001 and Log Management 26
Why do Logs Matter for Security and Compliance? Without sufficient collection, regular review and long-term retention of logs, g,your organization will not be in compliance with regulations nor able to properly protect its information assets. Logs provide a way to monitor your systems and keep a record of security events, information access and user activities. In some cases, event logging may have to be barred because of privacy reasons Ver 1.0 ISO 27001 and Log Management 27
Summary ISO 27001 implementation requires a well conceived Log management Policies, Procedures and Technology Most of the controls and framework requirements requirement a proper Log management. Control through Logs is predominantly a detective and a deterrence control. An well planned and executed Log management can help in effective implementation ti of ISMS. Ver 1.0 ISO 27001 and Log Management 28
Ver 1.0 ISO 27001 and Log Management 29