S 5.9 Logging on the server

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

A reasonable amount of the logging functionality available on the network server should be activated. The network administrator must examine the log files of the network server at regular intervals. All security-related events must be logged. When logging, the following events in particular are of interest:

• The entry of incorrect passwords for a user identifier, including blocking the user identifier once the maximum number of failed attempts has been reached,
• attempts to gain unauthorised access,
• power failure,
• data about network utilisation and overload.

How many other events are logged in addition to these events depends on the protection requirements of the particular IT systems, among other things. The higher the protection requirement is, the greater the number of events that should be logged.

Since the log files can become very large over time, the log evaluation intervals selected should be short enough to ensure that it is feasible to evaluate the logs. To ensure effective evaluation is possible, every log entry should contain the user identifier or process number, the name of the device, and the time and date.

It must be examined which legal or contractual retention periods apply to the log files. A minimum retention time may be specified in order to guarantee the ability to trace all activities, and a deletion requirement may apply due to data protection regulations (see also S 2.110 Data protection guidelines for logging procedures).

Review questions:

• Has logging been activated on the network server?
• Are the logs evaluated regularly by the network administrator?
• Are the evaluations documented?
• Are the legal or contractual retention periods for log files observed?