S 2.497 S 2.497 Creating a security concept for logging

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Head of IT, IT Security Officer

A security concept must be drawn up in order to enable logging in a secure framework. This concept defines all aspects referring to the secure use of the logging function, for example which data is captured and how long this captured data is to be stored, the analysis procedure, and how the logged data is transmitted using the network in the event of centralised logging.

The following list provides some important areas to be regulated in the concept. However, the concept is not exhaustive and must be adapted, designed, and extended in accordance with the application scenarios in the organisation. Detailed information about the aspects mentioned can be found in the individual safeguards of S 1.0 Security management.

A security concept defines how, where, and what is to be logged for which protection requirements. This also includes the decision whether local or centralised logging is to be implemented, see also S 3.90 General requirements for centralised logging. Normally, it is easier to get an overview of the security-relevant incidents within the information system if a centralised logging server is used merging, analysing, and monitoring the different logged data. In this case, the following aspects are relevant, amongst other things:

• Is centralised logging necessary or is it possible to locally store and analyse the logged data?
• How will the servers be secured in the event of centralised logging?
• Where should a centralised logging server be positioned within the network?
• Which synchronised and exact time basis is used by the log messages?
• How can logging servers be decommissioned securely?

It must be decided which IT systems, networks, and applications are to be taken into consideration for logging within the security concept. In general, all security-relevant events of IT systems such as servers, clients, network switching elements, and security gateways should be logged and analysed, as described in S 4.430 Analysing the logged data. For this, the following questions may be useful:

• Which events must be captured by the logging function?
• Which services, applications, and which hosts are logged?
• In what format is the information is to be captured and processed?

For optimal use of all functions and security features of the logging function, it is important to train the administrators accordingly, see also S 3.89 Training on the administration of the logging function. The training courses should convey information about the configuration and operation of the components of a logging server, as well as knowledge about their administration. The following items are important, amongst other things:

• Who may access the logged data for which purpose?
• Which administration tasks may and/or should be delegated?
• What training should administrators receive regarding the logging function?
• How are the activities of the administrators monitored?

The collected logged information may be analysed locally or on a centralised logging server. This is described in more detail in S 4.431 Selecting and processing relevant information for logging. In the event of a centralised analysis, the logged information must be transmitted to the centralised server using the network. Here, the communication between the involved IT systems must be secured sufficiently, see S 5.171 Secure communication with a centralised logging server. The following aspects should be taken into account to accomplish this:

• Which mechanisms protect the availability, confidentiality, and integrity of the logged data during transmission?
• Can the logged data be transmitted using the data network (in-band) or does a separate logging and administration network have to be configured for this? (out-of-band)
• Is there a sufficiently exact time base all log sources are synchronised with?

If certain events occur or if thresholds are exceeded, an alarm should be triggered via email or SMS, for example. In order to trigger the alarms in a reasonable manner, it is important to reduce the number of false alarms and to quickly inform the relevant persons, for example. More detailed information can be found in S 6.151 Alarm concepts for the logging function. For this, the following questions may be helpful:

• Which filter settings are required in order to find the relevant information in the logged data?
• How and how long is logged data archived and does this correspond to the data protection policies?
• How do the thresholds have to be configured so that False-Positives (false alarm) and False-Negatives (incident was not detected) are avoided?
• What is the reaction to alarms?
• How are the persons responsible informed about alarms?

Within the framework of logging, data protection plays an important role, because it specifies what is to be logged on the one hand, and what must not be logged and how the logged data must be handled on the other hand (see S 2.110 Data protection guidelines for logging procedures).

The security concept for logging must be coordinated with the overall security concept of the organisation. Furthermore, it must be updated and adapted to changes to the technology and to changes within the organisation at regular intervals.

Review questions:

• Was the security concept for logging coordinated with the security concept of the entire organisation?
• Is the security concept for logging updated regularly?