Log Management Checklist for HIPAA, PCI DSS, SOX and FISMA
| No | Area | Control |
| 1 | Log generation | Which types of hosts must or should perform logging |
| Which host components must or should perform logging (e.g., OS, service, application) | ||
| Which types of events each component must or should log (e.g., security events, network connections, authentication attempts) | ||
| Which data characteristics must or should be logged for each type of event (e.g., username and source IP address for authentication attempts) | ||
| How frequently each type of event must or should be logged (e.g., every occurrence, once for all instances in x minutes, once for every x instances, every instance after x instances | ||
| 2 | Log transmission | Which types of hosts must or should transfer logs to a log management infrastructure |
| Which types of entries and data characteristics must or should be transferred from individual hosts to a log management infrastructure | ||
| How log data must or should be transferred (e.g., which protocols are permissible), including out-of-band methods where appropriate (e.g., for standalone systems) | ||
| How frequently log data should be transferred from individual hosts to a log management infrastructure (e.g., real-time, every 5 minutes, every hour) | ||
| How the confidentiality, integrity, and availability of each type of log data must or should be protected while in transit, including whether a separate logging network should be used | ||
| 3 | Log storage and disposa | How often logs should be rotated |
| How the confidentiality, integrity, and availability44 of each type of log data must or should be protected while in storage (at both the system level and the infrastructure level) | ||
| How long each type of log data must or should be preserved (at both the system level and the infrastructure level)46 | ||
| How unneeded log data must or should be disposed of (at both the system level and the infrastructure level) | ||
| How much log storage space must or should be available (at both the system level and the infrastructure level) | ||
| How log preservation requests, such as a legal requirement to prevent the alteration and destruction of particular log records, must be handled (e.g., how the impacted logs must be marked, stored, and protected) | ||
| 4 | Log analysis | How often each type of log data must or should be analyzed (at both the system level and the infrastructure level) |
| Who must or should be able to access the log data (at both the system level and the infrastructure level), and how such accesses should be logged | ||
| What must or should be done when suspicious activity or an anomaly is identified47 | ||
| How the confidentiality, integrity, and availability of the results of log analysis (e.g., alerts, reports) must or should be protected while in storage (at both the system level and the infrastructure level) and in transit | ||
| How inadvertent disclosures of sensitive information recorded in logs, such as passwords or the contents of e-mails, should be handled. |
Share:
Subscribe to Service news feed
