Log review and management

Overview

Purpose:

• Communicate potential risks to stakeholder.
• Communicate rationale for security-relevant decisions to stakeholder.

Role:

• who typically does this

Frequency:

Log Review Tips

Critical systems require at least daily log review, however, what types of logs/activities should we pay attention to?

1. Consecutive login failure especially in non-office hour.

2. Login in non-office hour.

3. Authority change, addition and removal. Check them against with authorized application.

4. Any system administrator's activities

5. Any unknown workstation/server are plugged into the network?

6. Logs removal/log overwritten/log size is full

7. Pay more attention to the log reports after week-end and holiday

8. Any account unlocked/password reset by system administrators without authorized forms?

Log Standard

In fact, we are suffering various log format and standard from various systems even we are working in-house or act as a consultant. Why don't we produce a standard/guidelines to developer before they design the user administrative and audit trail functions to fulfill security control.

Functions:-

• Search - By date and time, by event type, by criticality, by account/user ID, by department

• Sorting - By date and time, by event type, by criticality, by account/user ID, by department

• Paging (Optional)

• Critical event is marked by "*"

• Show expired and inactive accounts (for example: 90 days)

Mandatory Fields:-

• User ID and Name

• Activity Date/Timestamp

• Activity Type and Description

• Terminal IP address and Location

User Account List:-

• User Info - Name, Department, Role

• Last Accessed Time

• Account Creation Date/Time

• Current Authority and Role

• Account authority and information change history

Subactivity 3

Describe the subactivity here