I was asked this question by senior management recently - ‘How do we tackle the logging and audit problem?’ Certainly it’s a broad question with no straight answers. The context of the question was to address compliance and incident response strategy.
For organisations with this question, it is a big challenge to begin with, primarily because until recently there was no rigor around this security control to draw from experience. In this post I aim to cover pre-requisites to start the project.
The pre-requisites:
1. Gather requirements- If you come across a project team that starts looking at the solutions or technology prior to establishing business requirements, it is doomed to fail.
- Understand the drivers for Log Management, whether it is compliance, operations, incident response, investigations, et al and their specifics. Also, gather requirements from various business functions to gain their support/buy-in.
- Using the existing asset management program, identify what you want to log. This will also establish whether the business understands the infrastructure that is serving the key business processes. This is the challenging part and more often than not there are only a handful of people in the business who understand and can identify these systems. In worst cases, there isn’t anyone!
- An option to help address this requirement is to look at the latest Business Continuity Plan and identify systems that are business critical and the failure of which will result in the most damage.
- Prepare a draft to group these systems for a phased rollout
- Once the key systems have been identified for the first phase of the project, discuss within the business data retention and disposal requirements, from both business and compliance perspectives.
In later posts, I’ll try and cover how to prepare for a phased journey into log management and work towards achieving benefits out of the project.
