S 4.172 Logging of the archival accesses

Initiation responsibility: Head of IT

Implementation responsibility: Administrator, Head of IT

The accesses to electronic archives must be logged. This is intended to guarantee the traceability of activities and to allow possible error corrections. The following list provides an overview of the types of events that can be detected with the help of logging:

• loss of data confidentiality and/or integrity as a result of IT user error,
• incorrect administration of site and data access rights,
• switching off of the server in ongoing operations,
• violation of legal requirements regarding the use of archive systems,
• faulty data media,
• loss of stored data,
• loss of data due to exhausted storage medium,
• manipulation of data or software,
• unauthorised copying of data media,
• manipulation of an encryption module,
• compromising of cryptographic keys, and
• unauthorised overwriting or deletion of archiving media.

The extent of logging depends on the requirements regarding the traceability and authenticity of the documents stored in the archives on the one hand. On the other hand, the regulations agreed upon within the organisation must also be observed, e.g. regarding data protection.

If possible, at least the following data should be logged:

• time and date of the access,
• client system used for the purpose of accessing,
• archive user and executed user role,
• executed actions, as well as
• possible error messages and codes.

The retention period for the logged data must be defined in the archiving concept.

The logged data must be analysed regularly taking into consideration organisational specifications in order to detect misuse and system errors. Analysis may be carried out manually or with the help of a tool. Critical events should be defined in advance as such events the occurrence of which requires a notification of an administrator. Such incidents should be signalled immediately, e.g. using existing system management environments. Furthermore, it is important that the notification is performed in a role-related and not in a person-related manner. If, for example, an email is sent to a specific person, the message may remain undetected if this person is absent.

The following events are typically characterised by a high criticality during archiving and should therefore be logged permanently, monitored, and signalled immediately if they occur:

• copying of archiving media,
• copying of archive system data media,
• deletion of datasets or marking of datasets for deletion,
• disconnection of archiving media in archive systems,
• removal of archiving media from archive systems,
• insertion of archiving media,
• connection of archiving media,
• error or problems regarding the access to the archive,
• system errors and timeouts,
• disaster scenarios (fire, inadmissible temperature, water, etc.) normally detected by external sensors.

After signalling, the event should be examined and, if required, escalated further immediately. Typically, a first escalation is performed to the Head of IT. However, other escalation processes may also be designed depending on the organisation.

Review questions:

• Are accesses to electronic archives logged?
• Are organisation-internal regulations taken into account when logging archive accesses, for example regarding data protection?
• Are the date, the time, the user, the client system, and the executed actions, as well as error messages logged for each access, if possible?
• Has the retention period of the logged data been defined in the archiving concept?
• Is the logged data of archive accesses analysed regularly taking into consideration organisation-internal specifications?
• Are critical events and their role-related signalling defined for archive accesses?
• Are critical events examined immediately upon signalling and, if required, escalated further in accordance with the organisation-specific escalation processes?