22.10 Log Monitoring and Management
The purpose of this policy is to assist IT in understanding the need for log management. This section provides practical, real-world guidance on developing, implementing, and maintaining effective log management practices. The scope of this policy covers establishing log management infrastructures, and developing and performing robust log management processes throughout the IT. Logs contain a wide variety of information on the events occurring within systems and networks.
a) IT should maintain the following categories of logs:-
(i) Security software logs
(ii) Operating System Logs
(iii) Application Logs
b) IT must ensure that logs records are stored in sufficient detail for an appropriate period of time.
c) Routine log reviews and analysis must be perform for identifying security incidents, policy violations, fraudulent activity, and operational problems shortly after they have occurred, auditing and forensic analysis.
d) Separation of roles is to be considered between the person(s) undertaking the review and those monitoring the logs.
e) IT Security should submit a monthly report to management by detailing the security incidents detected by all network security devices.
f) IT Security should compare the incidents occurring in the previous two months for trend analysis
g) IT Security reserves the right to verify if intrusion detection is being monitored and reported as per the service level agreements with the outsourced vendor.
h) Security logs of systems, applications and network devices must be regularly reviewed for anomalies.
i) System logs must be adequately protected and retained to facilitate investigation if need be. Legal and regulatory requirements should be taken into consideration when determining the log retention period.
j) System logs that captured system administrative activities must be reviewed.
k) All information that captures operator’s console and system activity must be adequately logged and regularly reviewed by designated supervisory staff.