Creative Use of System Logs to Ensure Policy Compliance
Organizations that need to minimize the risks associated with managing technology infrastructure implement robust policies on access management, change management and the like.
Having robust and well understood policies is important and expected of most organizations. However, organizations such as the FFIEC expects that financial institutions apply detective controls to affirmatively identify policy violations where ever possible.
Applications, system and security logs can be a key control mechanism used to identify policy violations. Consider a situation where an organization wants to implement a policy that ensures administrators only log in to a system when a Change or Trouble Ticket is has been opened and assigned to that person.
First, the system must be sending it’s logs to a central server, where the administrator has no access or ability to tamper with the logs.
Next, when an administrator logs in to a system, a log entry will be stored on the log server.
Finally, a script runs periodically (daily or weekly) on the log server, looking for all log in records. The script attempts to reconcile the login entries with trouble or change tickets for the given user. Records that have no corresponding ticket would show deviations from the policy.
This is just a small example of a control that mature organizations should have implemented for managing it’s infrastructure.
[...] mentioned in a previous post that system and security logs should be stored on a separate device, where system administrators [...]