S 2.110 Data protection guidelines for logging procedures

Initiation responsibility: Head of IT

Implementation responsibility: Administrator

In terms of data security, logging as part of IT-systems operation constitutes the manual or automatic generation of records which make it possible to answer the following questions: "Who accessed or performed what, when, using which resources?" These records should also indicate system states: "Who had which access rights for which period of time?"

The nature and scope of logging depends on general data privacy laws as well as field-specific guidelines.

The logging of administrative activities is equivalent to system monitoring, while the logging of user activities serves essentially as process monitoring. Accordingly, requirements concerning the nature and scope of system-oriented logging originate primarily from general data privacy laws, while process-oriented logging is defined mainly by field-specific guidelines. Examples of process-oriented logging guidelines are, among others, registration laws, police laws and constitutional laws.

Minimum requirements for logging

The following activities must be logged fully during the administration of IT systems:

• System generation and modification of system parameters
  
  As system-controlled logs are usually not generated on this level, detailed manual records corresponding to the system documentation are required here.
• Configuration of users
  
  Complete records must be maintained as to which rights to use an IT system were granted by whom to which people for which periods of time. Long-term retention periods must be specified for these logs, as they form the basis for practically every method of review.
• Preparing rights profiles
  
  One important logging task as part of user administration is to maintain a record of the people who issued instructions to configure individual user rights (also refer to S 2.31 Documentation of authorised users and rights profiles).
• Installation and modification of application software
  
  Logs in this context indicate the outcome of releasing programs and processes.
• Modifications to file organisation
  
  In view of the numerous possibilities of manipulation during the use of standard file management systems, complete logging is of particular importance here (see e.g. database management).
• Implementation of data backup measures
  
  As such measures (backup, restore) are related to the copying and overwriting of databases, and are mainly required in "exceptional cases", logging is of special importance in this context.
• Other use of administration tools
  
  The usage of all administration tools must be logged to help ascertain whether unauthorised persons have subversively acquired system administration rights.
• Attempts at unauthorised login and transgressions of rights
  
  Given effective authentication procedures and an appropriate allocation of rights, particular emphasis must be laid on maintaining a complete record of all "abnormalities" occurring during login and the use of hardware/software components. System administrators are also to be considered as users in this context.

During the processing of personal data, the following user activities must be logged selectively or fully in accordance with the sensitivity of the processes and information involved:

• Input of data
  
  Input monitoring is always process-oriented (e.g. logging in files if these are used, direct logging in the database if no files are used). Even if transgressions of rights are assumed to be logged using a different technique, complete logging of data inputs should be considered as a standard procedure.
• Data transfer
  
  Selective logging of data transfer can be considered sufficient only if complete logging is not legally specified.
• Use of automatic retrieval procedures
  
  Complete logging of retrieval and the reasons underlying them (procedure, reference, etc.) is generally necessary to detect unauthorised handling outside the scope of the access rights granted.
• Deletion of data
  
  The deletion of data must be logged.
• Invocation of programs
  
  It might be necessary to log the invocation of especially "sensitive" programs which, for example, must only be used during certain periods or on certain occasions. Complete logging is recommended in such cases. This also makes it possible to exonerate authorised users (proof of exclusive right to invoke a program).

Limited use of log data

In accordance with the almost fully identical data privacy regulations applicable on the federal and state levels, the use of log data is strictly limited. Such data must only be used for the purposes for which they were originally saved. These purposes usually consist of general monitoring tasks specified in a security concept, checks for the proper usage of programs for processing person related data stipulated by most data security laws and monitoring by internal or external data security officers. Only in exceptional cases do field-specific regulations allow the use of such data for other purposes such as criminal prosecution.

Storage period

Unless specified otherwise by field-specific regulations, the storage period for logs is defined by the deletion guidelines forming part of generally applicable data privacy laws. Log data must be deleted immediately once they are no longer required to fulfil the purpose. If no compelling reasons exist for the further retention of log data, these must be deleted by law.

The following factors serve as orientation here:

• The probability that irregularities might (still) be detected
• The possibility of ascertaining the reasons for such irregularities using the logs and other documents

Experience has shown that a retention period of one year should not be exceeded.

Shorter storage periods should be considered for logs which are prepared for the purpose of selective checks. Storage up to the point of actual checking is usually adequate. Here, too, field-specific regulations must be observed.

Basic technical and organisational requirements

The effectiveness of logging and its evaluation as part of monitoring depends decisively on technical and organisational conditions. In this context, the following aspects should be considered:

• A review concept should be prepared for the purpose of clearly defining the purpose of the logs and their monitoring functions, as well as security mechanisms for the rights of users and other persons involved. (see also S 5.22 Logging).
• Measures must be taken to ensure the inevitability and completeness of the logging functions, and to safeguard entries in the log files against manipulation.
• In accordance with the degree of appropriation applicable to the databases, effective access restrictions must be implemented.
• The logs must be designed to allow effective checking. This also includes IT-supported evaluations.
• Possibilities of evaluation should be ascertained and stipulated at the start.
• Checks must be performed sufficiently often to prevent damage and allow the initiation of appropriate measures following the discovery of violations. Timely checks must be carried out before the expiry of retention periods for log files.
• Checks must be performed in accordance with the two person rule.
• Employees should be made aware of the fact that checks are performed, if necessary, without prior notice..
• Automatic procedures (e.g. watch dogs) should be used for routine checks.
• The staff and works councils should be involved in the preparation of the logging concept and the stipulation of log evaluation techniques.

Review questions:

• Was a concept prepared which describes the purpose of the logs and their monitoring functions, as well as security mechanisms for the rights of the persons involved?
• Is the limited use of the log data respected, especially in terms of access authorisations?
• Does the form of the logging allow for effective possibilities of evaluation?
• Were the possibilities of evaluation coordinated with the Data Protection Officer and the personnel representative?