audit logs – Infosavvy Cyber Security & IT Management Trainings

In this article explain ISO 27001 Annex : A.18.1.3 Protection of Records, A.18.1.4 Privacy and Protection of Personally Identifiable Information and A.18.1.5 Regulation of Cryptographic Controls this contols.

A.18.1.3 Protection of Records

Control- ISO 27001 Annex : A.18.1.3 Protection of Records Records shall, in accordance with the provisions to legislative, regulatory, contractual, and business requirements, to protect from loss, destruction, falsification, and unauthorized access and unauthorized release.

Implementation Guidance- The related classification based on the organization’s classification scheme is to be taken into account when determining whether to secure relevant organizational documents. Categorized records in the following types of records, such as accounting records, database records, transaction records, audit logs, and operating procedures, should include details on retention periods and the type of media permitted for storage, such as paper, microfiche, magnetic, optical. Any associated encryption keys and programs related to encrypted or digital signatures (see Clause 10) must also be stored so that records are decrypted for a period of time during which records are kept.

The possibility of media deterioration used for record storage should be taken into consideration. In accordance with the manufacturer ‘s recommendations, storage and handling procedures should be implemented.

When electronic storage media are selected, protocols should be developed in order to protect against loss due to potential technical changes to ensure access for data (either media or format readability) over the retention period.

Data storage systems should be assigned so that the data required can be recovered, depending on the requirements to be fulfilled, in a time and format acceptable.

The storage and handling system should, if appropriate, ensure that records and their retention periods are known as specified in national or regional laws. After that period, if records are not required by the organization, this system should allow appropriate destruction.

The following steps should be taken by an organization in order to achieve these record safeguarding goals:

Guidelines should be provided with regard to documents and information processing, storage, handling and disposal;
A schedule for retention of records and the period for which they should be retained should be defined.
An inventory of main information sources should be maintained.

Other Information- Those documents need to be maintained safely to satisfy legislative, regulatory, or contractual requirements and to maintain key business operations. Examples include documents that might be necessary to show the legislative or regulatory operation of an entity to protect it from the potential civil or criminal acts of the public and to clarify to shareholders, external parties, and auditors the financial position of an organization. The period of time and data content for the retention of information may be determined by national law or regulation. More information on organizational record management is available in ISO 15489.

Also Read : ISO 27001 Annex : A.18 Compliance

A.18.1.4 Privacy and Protection of Personally Identifiable Information

Control- Privacy and protection of personal data should be guaranteed, as required, in applicable laws and regulations.

Implementation Guidance- A data policy of the organization should be developed and implemented to protect the privacy and personal information identifiable. This policy should be communicated to everyone involved in personal information processing.

Compliance with this policy and all the relevant legislation and regulations regarding privacy and personal information protection requires a proper management structure and control. This is often best achieved by appointing a responsible person like a security officer, who should give management, users and service providers guidance on their responsibilities and specific procedures. Responsibility should be taken in compliance with applicable laws and regulations for managing personally identifiable information and awareness of the information security principles. Suitable technical and organizational measures should be implemented to protect personal information.

This Blog Article is posted by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com

ISO 27001 Annex : A.12.4 Logging and Monitoring Its objective is recording events and generating evidence.

A.12.4.1 Event Logging

Control- Event logs should be produced, retained, and regularly reviewed to record user activities, exceptions, defects, and information security events.

Implementation Guidance- Where applicable, event logs should include:

IDs of User;
Activities of the system;
dates, times and key events details, such as log-on and log-off;
System ID or location and device recognition where possible;
records of the attempts to access the system successfully as well as rejected ones
successful and unsuccessful data records and other attempts to access resources;
system configuration alterations;
utilization of privileges;
the application and use of systems utilities;
Accessed files and access kinds;
network addresses and protocols;
Entry management system warnings.
Protective mechanisms such as anti-virus and intrusion detection systems are activated and deactivated as required;
Transaction records done in applications by users.

Event logging inspires automatic control systems capable of producing integrated network monitoring notifications and warnings.

Other information- Sensitive information and personally identifiable information can be used in event logs. Proper measures in the field of privacy should be implemented.
System administrators should not be allowed to delete or deactivate logs of their own activities where possible.

A.12.4.2 Protection of Log Information

Control- Logging and log information should be secure from intrusion and unauthorized access.

Implementation Guidance- Controls should be designed to protect against unauthorized log information changes and operational logging problem, including the following:

Alterations to the types of messages recorded;
Editing or removing log files;
The logfile media storage space is surpassed, which means either that an event is not registered or that the past events have been over-written.

Certain audit logs may require archiving as part of the retention of records or as a result of collecting evidence and retention requirements.

Other information- System logs also contain a large amount of information, which is largely unique to monitoring information security. The copying automatically to a second log of relevant message types or the use of suitable device utilities or auditing tools to perform file interrogations and rationalizing should be considered to help classify significant events for information security monitoring.

System logs must be protected, because data can create a false sense of security, when often modified or deleted. To safeguard logs, real-time copy of logs to a system outside the control of a system manager/operator.

This Blog Article is posted by
Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com