Log Management Policy: Fillable template and example

Template: Log Management Policy DOCX, 79 KB

Fillable templates provide instructions on the information required to be documented for certification.

Example: Log Management Policy DOCX, 142 KB

Examples provide sample text to help learners complete a template.

Computer Security Log Management

Disclaimer: CyberSecure Canada has developed this template for your use in relation to certification requirements for the Computer Security Log Management security control area. It provides guidance as to how information can be organized and documented for certification. CyberSecure Canada does not guarantee a successful certification from use of this template. Organizations are not obliged to use this template and may provide the certification requirement(s) in a documented format best suited for them.

Template instructions

Instructions: The purpose of this template is to help users to meet the certification requirements for the Computer Security Log Management security control area for CyberSecure Canada.

Instructions are provided in blue font within each section of this template. Upon completion of the template, delete these instructions.

Excerpts of the tables are used throughout the template for instructional purposes only, upon completion of the template these should be deleted.

It is recommended that users review the eLearning module for Computer Security Log Management and the completed example of this policy.

Context

A log is a record of the activities occurring within an organization's systems and networks. Logs are composed of log entries; each entry contains information related to a specific activity that has occurred within a system or network.

Logs are generated by many sources, including security software, such as antivirus software, firewalls, and intrusion detection and prevention systems; operating systems on servers, workstations, and networking equipment; and applications.

Log management is essential to ensuring that computer security records are stored in sufficient detail for an appropriate period of time. Routine log analysis is beneficial for identifying security incidents, policy violations, fraudulent activity, and operational problems.

Logs are also useful when performing auditing and forensic analysis, supporting internal investigations, establishing baselines, and identifying operational trends and long-term problems.

Definitions

Activity:
an event that occurs within a system or network (e.g. a change to a firewall configuration)
Log Entry:
information that is logged as a result of an activity occurring
Log:
a record of the events occurring within an organization's systems and networks.
Log Management:
the process for generating, transmitting, storing, analyzing, and disposing of log data.
Log Analysis:
studying log entries to identify events of interest or suppress log entries for insignificant events.
Log Rotation:
closing a log file and opening a new log file when the first log file is considered to be complete.
Resting State:
Log files when they have been transferred to a log storage solution
Transmission State:
the process of moving the log files from the individual asset to the log storage solution
Availability:
the ability for the right people to access the right information or systems when required
Confidentiality:
the ability to protect sensitive information from access by unauthorized people.
Integrity:
the ability to protect information from unauthorized modification or deletion.

Revision history

instructions: it is a best practice for organizations to ensure their policies are reviewed and updated regularly. Document what changes are made, when, and by whom.

The Log Management policy has been modified as follows:

Date Version Modification Modifier
[date edited] [document version] [description of changes made] [name of the editor]

Scope

Instructions: Insert your scope statement or use the provided example

Identify person/team responsible for overseeing and executing the policy.

This policy shall apply to [Name/Team] responsible for establishing and maintaining a successful log management system at [Organization Name]. This includes defining the following aspects of the log management system:

  • Roles and Responsibilities
  • Log Sources
  • Rules for Logging
  • Log Analysis
  • Log Security

Roles and Responsibilities

Instructions: As part of the log management planning process, an organization should define the roles and responsibilities of individuals and teams who are expected to be involved in log management.

Below is a sample of types of activities and responsibilities to be assigned and outlined in your policy.

Administrators listed below will have the following responsibilities:

  • configuring log sources,
  • performing log analysis,
  • initiating responses to identified activities,
  • managing log storage,
  • monitoring the logging status of all log sources,
  • (if a logging software is used) checking for upgrades and patches to logging software, and acquiring, testing, and deploying them ­
  • ensuring that each logging host's clock is synched to a common time source
  • reconfiguring logging as needed based on policy changes, technology changes, and other factors, and
  • documenting and reporting anomalies in log settings, configurations, and processes.

For small organizations, some of these roles could be fulfilled by the same team member(s). Team and individual roles often involved in log management can include the following:

Name(s) Position Role Contact
- Chief information officers (CIO)

This role includes the following responsibilities:

overseeing the IT resources that generate, transmit, and store the logs

-
[Insert Name(s)] System and network administrators

This role includes the following responsibilities:

  • Configuring logging on organization assets,
  • analyzing logs,
  • reporting on the results of log management activities, and
  • performing regular maintenance of the logs and logging software
[Insert Contact Info]
[Insert Name(s)] Security administrators

This role includes the following responsibilities:

  • managing and monitoring the log management system,
  • configuring logging on security devices (e.g., firewalls, network based intrusion detection systems, antivirus servers),
  • reporting on the results of log management activities, and
  • assisting others with configuring logging and performing log analysis
[Insert Contact Info]
[Insert Name(s)] Computer security incident response team

This role (which is more thoroughly detailed in your Incident Response Plan) includes the following responsibilities:

  • fulfilling the incident response procedures detailed in [Organization Name]'s Incident Response Plan
  • using log data when handling incidents in compliance with [Organization Name]'s policy
[Insert Contact Info]
[Insert Name(s)] Procurement Officers

This role includes the following responsibilities:

  • purchasing of software that should or can generate computer security log data.

This role may include many other responsibilities related to procurement however for this policy the role is specifically relating to the procurement of software.Footnote **

[Insert Contact Info]
[Insert Name(s)] Application developers

This role includes the following responsibilities:

  • designing or customizing applications so that they perform logging in accordance with the logging requirements and recommendations
[Insert Contact Info]
[Insert Name(s)] Auditors

This role includes the following responsibilities:

  • using log data when performing audits
[Insert Contact Info]

Log Sources

List Hardware and Software Assets

Instructions: Organizations must list their various hardware and software assetsFootnote 1 which perform activities that can be logged based on your organizations needs. This can be seen in Figure 1., under the 'Asset' column.

Organizations must then determine what activities to be logged for each of their hardware and software systems that are in-scope.

Figure 1. Log Management Table. Focus on the Asset Column
Asset Activity Log Entry Log File Name Storage Location Log Frequency Impact Level Log Retention Date Created
Firewall Config changes Username of Account FWConfigLogs D:\LogStorage\FW Every occurrence High 1 year Nov 11, 2021
IP Address Every occurrence Nov 11, 2021
Time and Date Every occurrence Nov 11, 2021
Configuration Change Every occurrence Nov 11, 2021
Rule changes Username of Account FWRulesLogs Every occurrence High 1 year Nov 11, 2021
IP Address Every occurrence Nov 11, 2021
Time and Date Every occurrence Nov 11, 2021
Rule Change Every occurrence Nov 11, 2021
User logins Username of Account FWUsersLogs Every occurrence High 1 year Nov 11, 2021
IP Address Every occurrence Nov 11, 2021
Time and Date Every occurrence Nov 11, 2021
Successful/Failed Attempts Every occurrence Nov 11, 2021

Activities and Log Entries

Instructions: Based on your list of hardware and software assets, the next step is to determine which activities must or should be logged for each asset and from those activities what types of log entries should be captured based on each activity, this is demonstrated in the 'Activity' column in Figure 2. below.

Remember that multiple logs can be generated from the same source, i.e. your firewall. Organizations will need to determine which types of activities they want to be logged—for example, your firewall will require logs for various activities such as configuration changes, rule changes and user logins.

From those logged activities your organization will determine the type of log entries from each activity they want or need to be logged. This means that for each configuration activity within your firewall your organization must determine which types of log entries from the activity must be logged – for example a configuration activity on your firewall could require various types of log entries relating to a configuration change such as the username of the account whom performed the activity, the IP address of the user, the time and date of the activity and the actual configuration change that occurred.

Figure 2. Log Management Table. Focus on the Activity and Log Entry Column
Asset Activity Log Entry Log File Name Storage Location Log Frequency Impact Level Log Retention Date Created
Firewall Config changes Username of Account FWConfigLogs D:\LogStorage\FW Every occurrence High 1 year Nov 11, 2021
IP Address Every occurrence Nov 11, 2021
Time and Date Every occurrence Nov 11, 2021
Configuration Change Every occurrence Nov 11, 2021
Rule changes Username of Account FWRulesLogs Every occurrence High 1 year Nov 11, 2021
IP Address Every occurrence Nov 11, 2021
Time and Date Every occurrence Nov 11, 2021
Rule Change Every occurrence Nov 11, 2021
User logins Username of Account FWUsersLogs Every occurrence High 1 year Nov 11, 2021
IP Address Every occurrence Nov 11, 2021
Time and Date Every occurrence Nov 11, 2021
Successful/Failed Attempts Every occurrence Nov 11, 2021

Rules for Logging

Instructions: Capturing as much data as possible and storing it for as long as possible is not feasible. Therefore, strict rules should govern logging frequency, retention, rotation and analysis. These rules should match the level of impact on your organization if one of these assets were to be compromised.

Organizations should first determine which of their systems are low, moderate and high impact. Below is a table to demonstrate an example of what these rules can look like for various impact levels. However, organizations should develop their own logging rules that meet their business needs.

Logging Rules for [Organization Name] based on the impact level for each asset.

Figure 3. Examples of Logging Rules Table.
- Low-Impact System Moderate-Impact System High-Impact System
Retain log data 1 to 2 weeks 1 to 3 months 3 to 12 months
Rotate logs Every week or every 25 MB Every 6 to 24 hours or every 2 to 5 MB Every 15 to 60 minutes or every 0.5 to 1 MB
Analyze log data Every 1 to 7 days Every 12 to 24 hours At least every 2 hours

Some basic points to consider when determining each of your systems impact level include identifying:

  • threats to your organization (i.e., operations, assets, or individuals) or threats directed through your organization against other organizations or the Nation;
  • vulnerabilities internal and external to organizations;
  • the potential injury (impact level) that may occur given the potential for threats exploiting vulnerabilities such as reputational damage, financial loss etc.; and
  • the likelihood that harm will occur.

Organizations should assess the potential injury to the confidentiality, integrity, and availability (CIA triad) of their information systems and assets. This will provide a better understanding of the impact level of each of the information systems and assets assessed.

When discussing this CIA triad for risk it is defined as:

  • Availability: the ability for the right people to access the right information or systems when required
  • Confidentiality: the ability to protect sensitive information from access by unauthorized people.
  • Integrity: the ability to protect information from unauthorized modification or deletion.

Organizations can use the following scale to determine their level of impact:

  • Very low: no expected injury to CIA
  • Low: injury expected to CIA potentially resulting in some financial loss etc., as an example
  • Medium: serious injury expected to CIA, resulting in reduced competitiveness, loss of reputation etc.
  • High: extremely grave injury expected to CIA, resulting in compromised ongoing viability

For example, if we compared two different assets such as your firewall and your printer. A log from your firewall could be 'configuration changes' and a log from your printer could be 'printed documents'. In this scenario there could be a higher impact, i.e. the potential for injury in higher, on your business if an anomaly is overlooked in your firewall's configuration changes log, compared to your printer's printed documents log. Therefore, your firewall is a higher-impact system and the logging rules may require a longer retention period and more frequent logging. 

Factors to consider when defining logging settings include:

  • Logging frequency
  • Log Retention Period
  • Log Sizes and Rotation

These settings must be defined based on your businesses needs and the storage available to your organization.

Logging Frequency

Instructions: Based on your businesses needs you must decide for each asset, activity and log entry, how frequently each type of activity must or should be logged. An example of some common logging frequencies include logging:

  • every occurrence,
  • once for all instances in x minutes,
  • once for every x instances,
  • every instance after x instances

For example –for the asset 'firewall' and the corresponding activity 'configuration changes', the log frequency is 'every occurrence'. This means that every time a configuration change is made to your firewall the; username of the account, IP address, time and date and the configuration change will be logged.

For the asset 'printer', and the corresponding activity 'printed documents' the business has chosen the log frequency 'once for every x instances'. In this case, for every instance a file is printed the username of the account, IP address, time and date, and number of pages will be logged. This means that the username of the account, IP address, time and date, and number of pages will only be logged once for every document rather than every page.

These settings must be defined based on your businesses needs and the storage available to your organization.

Figure 4. Log Management Table . Focus on the Printer versus Firewall Log Frequency
Asset Activity Log Entry Log File Name Storage Location Encrypted Log Frequency Impact Level Log Retention Date Created
Firewall Config changes Username of Account FWConfigLogs D:\LogStorage\FW Yes Every occurrence High 1 year Nov 11, 2021
IP Address Every occurrence Nov 11, 2021
Time and Date Every occurrence Nov 11, 2021
Configuration Change Every occurrence Nov 11, 2021
Rule changes Username of Account FWRulesLogs Every occurrence High 1 year Nov 11, 2021
IP Address Every occurrence Nov 11, 2021
Time and Date Every occurrence Nov 11, 2021
Rule Change Every occurrence Nov 11, 2021
User logins Username of Account FWUsersLogs Every occurrence High 1 year Nov 11, 2021
IP Address Every occurrence Nov 11, 2021
Time and Date Every occurrence Nov 11, 2021
Successful/Failed Attempts Every occurrence Nov 11, 2021
Printer Config changes Username of Account PrinterConfigLogs D:\LogStorage\Printer No Every occurrence Moderate 6 months Jan 28, 2021
IP Address Every occurrence Jan 28, 2021
Time and Date Every occurrence Jan 28, 2021
Configuration Change Every occurrence Jan 28, 2021
Printed docs Username of Account PrinterDocsLogs Once for every file printed   6 months Jan 28, 2021
IP Address Once for every file printed Jan 28, 2021
Time and Date Once for every file printed Jan 28, 2021
Number of pages printed Once for every file printed Jan 28, 2021

Retention Period

Instructions: How long your logs are retained will depend on the impact level of each of your systems, the activity being logged and the log entries of each activity that is logged. As outlined previously, some systems, as listed in your assets column, will have a higher impact on your business if compromised and this level of impact will help you to determine your log retention period.

These settings must be defined based on your businesses needs and the storage available to your organization.

Figure 5. Log Management Table . Focus on the Printer versus Firewall Log Retention
Asset Activity Log Entry Log File Name Storage Location Encrypted Log Frequency Impact Level Log Retention Date Created
Firewall Config changes Username of Account FWConfigLogs D:\LogStorage\FW Yes Every occurrence High 1 year Nov 11, 2021
IP Address Every occurrence Nov 11, 2021
Time and Date Every occurrence Nov 11, 2021
Configuration Change Every occurrence Nov 11, 2021
Printer Config changes Username of Account PrinterConfigLogs D:\LogStorage\Printer No Every occurrence High 6 months Jan 28, 2021
IP Address Every occurrence Jan 28, 2021
Time and Date Every occurrence Jan 28, 2021
Number of Pages Every occurrence Jan 28, 2021

Log Rotation

Instructions: The size of your logs will depend on many of the factors we have discussed previously but are not limited to; your businesses overall scope (i.e. the number of assets your business requires logging for), the log frequency, and the log retention.

The size of your logs will affect the rotation frequency of your logs. Log rotation frequency is how often, based on either a schedule (e.g., hourly, daily, weekly) or a file size (e.g. every 1MB), a log file is closed and a new file is opened. The main benefit of log rotation is to preserve log entries and to prevent the log file size from becoming unmanageable. Additionally, once a log file is closed is can be compressed to save space.

Log Analysis

Instructions: Routine log analysis is beneficial for identifying security incidents, policy violations, fraudulent activity, and operational problems. Logs are also useful when performing auditing and forensic analysis, supporting internal investigations, establishing baselines, and identifying operational trends and long-term problems.

Your log management policy should include the following statements.

It is the responsibility of [Name/Team] to ensure log files are regularly analyzed to detect anomalies.

The analysis of log files is done [manually/by way of software].

Choose one option:

A manual analysis of the log files is performed on each system listed in the assets column of this policy for [Organization Name]. The frequency of log analysis is performed based on the impact level of each system.

[Organization Name] uses _______________________ log analysis software for all log analysis requirements. It is the responsibility of [Name/Team] to ensure upgrades and patches to logging software, are acquired, tested, and deployed as they are made available.

- Low-Impact System Moderate-Impact System High-Impact System
Retain log data 1 to 2 weeks 1 to 3 months 3 to 12 months
Rotate logs Every week or every 25 MB Every 6 to 24 hours or every 2 to 5 MB Every 15 to 60 minutes or every 0.5 to 1 MB
Analyze log data Every 1 to 7 days Every 12 to 24 hours At least every 2 hours

Prioritizing Log Entries

Instructions: Organizations can consider assigning their own priorities to log entries for analysis based on a combination of factors, including the following: ­

  • Entry type (e.g., message code 103, message class CRITICAL) ­
  • Newness of the entry type (i.e., has this type of entry appeared in the logs before?) ­
  • Log source­ (i.e. the asset such as the firewall)
  • Source or destination IP address (e.g., source address on a blacklist, destination address of a critical system, previous activities involving a particular IP address) ­
  • Time of day or day of the week (e.g., an entry might be acceptable during certain times but not permitted during others) ­
  • Frequency of the entry (e.g., x times in y seconds).

Respond to Identified Activities

Instructions: In the event that an anomaly of significance is detected, that necessitates some type of response, the administrator should follow the organization's incident response plan procedures to ensure that it is addressed appropriately.

Please refer to the 'Incident Response Plan" module in the CyberSecure Canada eLearning series for more guidance on how to develop your incident response plan including an example of what your incident response plan should contain.

The following questions should be address by your organizations incident response plan for a variety of cybersecurity incidents.

  • What do you do when you detect an anomaly?
  • Who will the anomaly be reported too?
  • How to document an incident?

Log security

The information within your businesses logs should be protected. Here are some security considerations for securing logs on your systems and in storage:

  • Limit access to log files. Users should not have any access to most log files unless some level of access is necessary for creating log entries. If so, users should have append-only privileges and no read access if possible. Users should not be able to rename, delete, or perform other file-level operations on log files. ­
  • Avoid recording unneeded sensitive data. Some logs may record sensitive data, such as passwords, that does not need to be logged. When feasible, logging should be configured not to record information that is not required and would present a substantial risk if accessed by unauthorized parties. ­
  • Protect stored log files. This could include encrypting log files, and providing adequate physical protection for stored data. ­

Some logs may contain information that does not require encryption based on your organizations operations. These settings must be defined based on your businesses needs.

Instructions: Insert your log security policy statements below or use the examples provided.

It is the responsibility of [Name/Team] to ensure log files are appropriately and adequately secured based on the information captured in each log for [Organization Name].

It is a best practice to encrypt all log files in both the resting (i.e. files in storage) and transmission (i.e. the process of moving log data to a resting state) state.

If applicable include the following statements regarding your businesses encryption and log storage:

The stored log files for [Organization Name] are encrypted using [insert the type of encryption being used].

The log files for [Organization Name] are stored in a secure location.

The transmission of log files for [Organization Name] are encrypted using [insert the type of encryption being used].

Define Log File Access

When securing your organizations logs you should consider who must or should be able to access the log data and how such accesses should be logged. Some points to consider when developing your policy regarding access to your business' logs include:

  • All access to the logs should be recorded and monitored.
  • privileges to read log data should be restricted and reviewed periodically
  • Users should not be able to rename, delete, or perform other file-level operations on log files
  • Users should not have any access to most log files unless some level of access is necessary for creating log entries.
    • If so, users should have append-only privileges and no read access if possible.

Instructions: Insert your Log File Access policy statement(s) below or use the example provided.

Access to log file data at [Organization Name] is the responsibility of [Name/Team] to ensure access to log files is controlled.

Insert any other statement(s) regarding your organizations log file access policies.

Enforcement

Instructions: Insert your enforcement statements below or use the example provided.

It is the responsibility of [Name/Team] to oversee the log management procedures set out in this policy.

Asset Activity Log Entry Log File Name Storage Location Log Frequency Impact Level Log Retention Date Created
Firewall Config changes Username of Account FWConfigLogs D:\LogStorage\FW Every occurrence High 1 year Nov 11, 2021
IP Address Every occurrence Nov 11, 2021
Time and Date Every occurrence Nov 11, 2021
Configuration Change Every occurrence Nov 11, 2021
Rule changes Username of Account FWRulesLogs Every occurrence High 1 year Nov 11, 2021
IP Address Every occurrence Nov 11, 2021
Time and Date Every occurrence Nov 11, 2021
Rule Change Every occurrence Nov 11, 2021
User logins Username of Account FWUsersLogs Every occurrence High 1 year Nov 11, 2021
IP Address Every occurrence Nov 11, 2021
Time and Date Every occurrence Nov 11, 2021
Successful/Failed Attempts Every occurrence Nov 11, 2021
VPN Software Config changes Username of Account VPNConfigLogs D:\LogStorage\VPN Every occurrence High 1 year Oct 5, 2020
IP Address Every occurrence Oct 5, 2020
Time and Date Every occurrence Oct 5, 2020
Configuration Change Every occurrence Oct 5, 2020
User logins Username of Account VPNUserLogs Every occurrence High 1 year Oct 5, 2020
IP Address Every occurrence Oct 5, 2020
Time and Date Every occurrence Oct 5, 2020
Successful/Failed Attempts Every occurrence Oct 5, 2020
Printer Config changes Username of Account PrinterConfigLogs D:\LogStorage\Printer Every occurrence Moderate 6 months Jan 28, 2021
IP Address Every occurrence Jan 28, 2021
Time and Date Every occurrence Jan 28, 2021
Configuration Change Every occurrence Jan 28, 2021
Printed docs Username of Account PrinterDocsLogs Once for every unique file Moderate 6 months Jan 28, 2021
IP Address Once for every unique file Jan 28, 2021
Time and Date Once for every unique file Jan 28, 2021
Number of pages printed Once for every unique file Jan 28, 2021
Payroll Software User Logins Username of Account PayrollLogins D:\LogStorage\Payroll Every occurrence High 1 year March 25, 2020
IP Address Every occurrence March 25, 2020
Time and Date Every occurrence March 25, 2020
Successful/Failed Attempts Every occurrence March 25, 2020
Config Changes Username of Account PayrollConfigLogs Every occurrence High 1 year March 25, 2020
IP Address Every occurrence March 25, 2020
Time and Date Every occurrence March 25, 2020
Configuration Change Every occurrence March 25, 2020
Software Updates Username of Account PayrollUpdateLogs Every occurrence High 1 year March 25, 2020
IP Address Every occurrence March 25, 2020
Time and Date Every occurrence March 25, 2020
Software update Every occurrence March 25, 2020