Auditing and logging policy

Are you a technical expert researcher? Sign up for a free trial and access this content

Auditing and logging are the basic steps to protect the mission critical system and solve problems. This policy provides an overview of the corresponding auditing and logging process for computer systems, networks, and devices that store or transfer important data.

Many computer systems, network devices, and other technical hardware used in enterprises can audit and record various activities. These activities include network traffic, Internet access, creating or deleting users, adding users to groups, changing file permissions, transferring files, opening cases, powering off, deleting system logs, and deleting users , The administrator, or the actions that the system itself performs.

Auditing and logging are the first lines of defense to ensure consistency between the system and the environment and solve problems in a mission-critical environment. Even if the administrator makes a mistake, even if the hardware component fails, even if the hacker breaks down the system or uses the network bandwidth too much, even if the user attempts unauthorized access to the database, what is the audit log It helps to identify what happened. How to solve the problem

Collecting events in the log file is only half of the target. The other half establishes a framework for monitoring and reviewing incidents so that they can properly handle everyday management, serious problems, and security-related events. Therefore, following a set of guidelines on effective auditing and logging implementation and management is an important task for any IT department.

This policy provides guidance on auditing and logging of computer systems, the proper use of the network, and other devices that store or transmit data that should be kept in mind with important and / or security. It includes a way to protect the log and interpret the result data to make the most of it.

This policy is intended for full-time and part-time employees, consultants, contractors, and other personnel responsible for managing systems, networks, and other equipment with audit / record capabilities.

I do not like configuring audit policies for all activities that occur on the logging server, but I also avoid audits that only check minimal audits and failures. Each time you add an additional audit policy to the server, the server load increases and the security log file grows in size. If you are really interested in logging events that may affect the security of your system, you not only record events that someone tried but could not complete, as well as investigate events that someone tried and succeeded I will. This is my philosophy for a while, it is very useful to me; some people think I am a bit paranoid

The log is a record of the events that occurred in the organization's systems and networks. The log consists of log entries, and each entry contains information about a specific event occurring in the system or network. The computer security log is generated from various sources such as antivirus software, firewall, security software such as IPS / IDS, operating system on the server, workstation, network device, application etc. Periodic log analysis can help you identify security incidents, policy violations, misbehavior, and operational issues. The logs help you perform audits and forensics analysis, support internal research, establish a baseline, and identify operational trends and long-term problems. Organizations need to define the requirements and objectives for performing logging and monitoring logs. The requirement should include all applicable laws, regulations, and policies of existing organizations.

Information security and policy (ISP) is a company-wide audit logging software solution (based on HP ArcSight), Campus Log (HP ArcSight), which helps to manage, correlate, and detect suspicious activities related to the most important data assets on campus Association Program is implemented. The advanced detection capabilities of this service make it possible for ISPs to address various aspects of events (IDs, vulnerabilities, vulnerabilities, intrusion detection, etc.) that span multiple firewalls, web servers, system access logs, Asset, time, mode, etc.) can be associated. . Determine whether the system was successfully attacked, currently detecting attacks, or detecting advanced threats before damage caused by attacks.