Log management and ISO 27001

Rakesh Maheshwari
STQC Directorate
Department of Information Technology
Ministry of Communications & IT
rakesh@mit.gov.in
 Log management

 Log management is the process of generating,

analyzing,
y g, and storing g logs.
g
 Organizations which develop best practices in log
management will get timely analysis of their security
profile for security operations, ensure that logs are kept in
sufficient detail for the appropriate period of time to meet
audit
dit andd compliance
li requirements,
i t anddhhave reliable
li bl
evidence for use in investigations.

Ver 1.0 ISO 27001 and Log Management 2

 Why should we discuss ISO 27001
 Reference IT Act Notification dtd 11th April,
April 2011
 G.S.R. 313(E) : Information Technology (Reasonable security practices and
procedures and sensitive personal data or information) Rules, 2011.
 P
Para 8ddeals
l with
ith “Reasonable
“R bl Security
S it Practices
P ti andd Procedures”
P d ” andd
states that if an organisation have implemented such security practices and
standards and have a comprehensive documented information security
programme and information security
sec rit policies that contain managerial
managerial, technical
technical,
operational and physical security control measures that are commensurate with
the information assets being protected with the nature of business then this
organisation in a way complies with reasonable security practices and
procedures. In the event of an information security breach, the organisation
shall be required to demonstrate, that they have implemented security control
measures as per their documented information security programme and
information security policies.
 It further states that IS/ISO/IEC 27001 is one such standard.

Ver 1.0 ISO 27001 and Log Management 3

 ISO/ IEC 27001 : 2005
 A specification
ifi ti (specifies
( ifi requirements
i t for
f implementing,
i l ti
operating, monitoring, reviewing, maintaining &
improving a documented ISMS)
 Specifies the requirements of implementing of Security
control, customised to the needs of individual
organisation or part thereof.
 Used as a basis for certification

Ver 1.0 ISO 27001 and Log Management

 ISO 27001 requirements

 Requirements contained in the ISMS

framework (Sections 4-8)
4 8)
 ISMS control requirements (Annexure A)

Ver 1.0 ISO 27001 and Log Management 5

 ISMS control requirements - Annexure A : Control
objectives
bj ti & controls
t l

A 5 Security Policy
A.5

A.6 Organization of Information Security

A.7 Asset Management

A.8 Human A.9 Physical

y & A.10 Communications A.12
A 12 Info
Info. Systems
Resources environmental & operations Acquisition
Security security management development &
maintenance
A.11 Access control

A.13 Information Securityy Incident Management

g

A.14 Business Continuity Management

A.15 Compliance

Ver 1.0 ISO 27001 and Log Management

 ISMS process framework requirements :
Clause 4-8

4. Information Security Management System

– 4.2 Establishing
g and managing
g g the ISMS
– 4.3 Documentation requirements
• Document Control
Act Plan
• Record Control
5. Management
g Responsibility
p y
6. Internal ISMS Audits
7. Management
g Review of the ISMS Check Do

8. ISMS Improvements

Ver 1.0 ISO 27001 and Log Management

Log management Requirements as
stated in ISO 27001
 Communications and Operations
ISO/IEC 27001:2005

Comments
F ll Control
Full C t l Objective
Obj ti dedicated
d di t d to
t logs.
l

Ver 1.0 ISO 27001 and Log Management 9

 Communications and Operations Mgmt

ISO/IEC 27001:2005

Comments
Objectives of this control is to ensure correct and secure operation of information
processing facilities
facilities.
A10.1.3 Doer and the approver will be different. A centralised Sys Log services are
recommended.
Ver 1.0 ISO 27001 and Log Management 10
 Communications and Operations Mgmt
ISO/IEC 27001
27001:2005
2005

Comments
System Planning and acceptance reduces the risk of system failure.

Ver 1.0 ISO 27001 and Log Management 11

 Communications and Operations Mgmt
ISO/IEC 27001
27001:2005
2005

Comments
Logs
g of Virus detected and outbreak Incident provides
p sufficient information about the
effectiveness of the Antivirus on Systems and Email gateway.

Ver 1.0 ISO 27001 and Log Management 12

 Human Resource Securityy
ISO/IEC 27001:2005

Ver 1.0 ISO 27001 and Log Management 13

 Physical and Environmental Security
ISO/IEC 27001
27001:2005
2005

Ver 1.0 ISO 27001 and Log Management 14

 Access Control
ISO/IEC 27001
27001:2005
2005

Comments
Verification of User Creation, Rights grant and removal of rights
from logs.
logs

Ver 1.0 ISO 27001 and Log Management 15

 Incident management
ISO/IEC 27001
27001:2005
2005

Comments
I f
Information
ti obtained
bt i d from
f analysis
l i off various
i logs
l provides
id
information about the security events and weakness.
Ver 1.0 ISO 27001 and Log Management 16
 Incident management
g
ISO/IEC 27001:2005

Comments
R
Recording
di off Incidents
I id t by b analyzing
l i theth logs.
l
Ver 1.0 ISO 27001 and Log Management 17
 Compliance
ISO/IEC 27001
27001:2005
2005

Ver 1.0 ISO 27001 and Log Management 18

 Cl
Clause: Framework
F kPPartt
ISO/IEC 27001
27001:2005
2005

Comments
Measurement of effectiveness of controls : eg To check the effectiveness of IPS,
IPS logs of
the webserver can be seen; It will provide information about effectiveness of IPS.
Ver 1.0 ISO 27001 and Log Management 19
 Clause: Framework Part
ISO/IEC 27001
27001:2005
2005

Comments

Ver 1.0 ISO 27001 and Log Management 20

 Clause: Framework Part
ISO/IEC 27001
27001:2005
2005

Comments

Ver 1.0 ISO 27001 and Log Management 21

 Clause: Framework Part
ISO/IEC 27001
27001:2005
2005

Comments

Ver 1.0 ISO 27001 and Log Management 22

 Clause: Framework Part
ISO/IEC 27001
27001:2005
2005

Comments

Ver 1.0 ISO 27001 and Log Management 23

 Information Lifecycle and Log
g
Management

Information Life Cycle

Information can be :

C t d
Created St d
Stored D t
Destroyed
d?

Processed Transmitted Copied

Used – (for proper and improper purposes)

Lost! Corrupted!

Ver 1.0 ISO 27001 and Log Management 24

 Log Management Policies,
Policies
Procedures and Technology
 Policies provide management direction for the log management
activities and should clearly define mandatory requirements for log
generation,
ti analysis,
l i retention
t ti and d storage
t andd security.
it ThThey should
h ld
be created in conjunction with a plan for the procedures and
technology that are needed to implement and maintain the policies.
 A comprehensive set of best practices in log management includes
the following categories:
– – Log management policy
policy, procedures and technology
– – Log generation
– – Log retention and storage
– – Log analysis
– – Log protection and security

Ver 1.0 ISO 27001 and Log Management 25

 The Need for Best Practices in Log
Management
 Businesses face a number of challenges that make best
p
practices in log
g management
g an essential p
part of an
overall enterprise IT security strategy:
– The huge number and variety of systems generating logs
– The volume of logged data
– The changing threat landscape
– The more stringent regulatory requirements
– The increasing number of stakeholders
– The uncertainties of future regulatory and legal issues

Ver 1.0 ISO 27001 and Log Management 26

 Why do Logs Matter for Security and
Compliance?
 Without sufficient collection, regular review and long-term
retention of logs,
g , yyour organization
g will not be in
compliance with regulations nor able to properly protect
its information assets. Logs provide a way to monitor your
systems and keep a record of security events, information
access and user activities.
 In
I some cases, eventt logging
l i may have
h tto be
b bbarred
d
because of privacy reasons

Ver 1.0 ISO 27001 and Log Management 27

 Summary

 ISO 27001 implementation requires a well conceived

Log
g management
g Policies,, Procedures and
Technology
 Most of the controls and framework requirements
requirement a proper Log management.
 Control through Logs is predominantly a detective
and a deterrence control.
 An well planned and executed Log management can
h l in
help i effective
ff ti implementation
i l t ti off ISMS.
ISMS

Ver 1.0 ISO 27001 and Log Management 28

Ver 1.0 ISO 27001 and Log Management 29