This snapshot taken on 05/09/2007, shows web content selected for preservation by The National Archives. External links, forms and search boxes may not work in archived websites.
This section deals with three key processes which collectively ensure that security violations are detected. The processes are:
Accounting and Audit can be considered to be part of the access management process which detects legitimate and non–legitimate access; supports investigation etc.
Recommended best practice is to implement and maintain accounting processes which are appropriate to local circumstances, and which are supported by:
In addition to being good practice, the effective use of audit records depends upon users being made aware that their actions may be monitored.
A key factor in achieving effectiveness is the need for firm senior management involvement, support and direction. The investment in collecting and analysing records will be wasted if there is no means of applying the lessons learned.
ISO/IEC 17799
Logging administrator actions, and the maintenance of audit records are identified by the standard as best practice, in addition to the process of managing time synchronisation to maintain integrity of the records.
CESG Documents
IS1 defines three levels of protective monitoring, as a basis for assurance level calculations. CESG INFOSEC Memorandum No 22 (Protective Monitoring) provides a policy statement, definitions and advice on general threats and countermeasures. IS2 gives guidelines and best practice for monitoring and audit in the context of risk management. IS4 sets out the minimum standards for Comsec in this area.
Infrastructure requirements
Where there is a connection to a centralised infrastructure such as the GSi, or Airwave, the connection requirements may mandate audit and accounting processes to support the threat monitoring process for the infrastructure itself. In the case of the GSi there are specific audit and accounting requirements laid down. CPNI issue supporting guidelines in this area, primarily CPNI Technical Note 03/03: Protective Monitoring - Introduction to Audit and Accounting Log Analysis.
Legislation
Specialist advice should always be sought where there are potential legal requirements.
The key factor is likely to be the Police and Criminal Evidence Act (PACE). Where material gathered in an automated log is to be used as evidence, there must be a reasonable belief that the system was operating correctly at the time the records were produced. However, for service providers the Regulation of Investigatory Powers Act (RIPA) may also be relevant, in terms of logging information for subsequent recovery, in addition to the Data Protection Act, Human Rights Act and Freedom of Information Act.
Coverage of automated logging
Automated logging is inevitably a compromise between storage limitations, processing load and audit requirements.
Organisations must acknowledge this and develop a logging policy aligned to business needs, based on the key principles of:
Retention
Retention of accounting logs assists with:
The retention of logs is therefore an important part of the audit and accounting process. For most Government systems. logs should be retained for at least six months, under access control, and with periodic checks that the logs remain readable. It is good practice to include in a service contract any specific accounting and auditing requirements.
The retention policy for the organisation or system must be based on a consideration of the use to which the logs will be put. Records in firewall logs of rejected packets for example, may be analysed on a rolling basis and therefore may be seen to have a short lifetime. Where the logs include records of operator actions, a longer period of retention will be appropriate.
Analysis
Analysis must always be based on a set of defined objectives. Firewall logs for example will generally be used to obtain a picture of the changing threat environment; server logs will be used to detect violations of user policy; proxy logs will be used to detect possible violations of acceptable Internet use.
It is good practice to develop an audit policy identifying the available sources of accounting information, and the use to which each will be put. This ensures that effort is expended on just those analysis activities that contribute to IA within the business.
Reporting
In all aspects of accounting and audit, it is vital to concentrate on the objective: the effective use of the information to ensure an ongoing level of IA. Communication of the analysis results is a critical aspect of this. In the general case reporting falls into one of two areas: reporting of specific incidents; and reporting of aggregated information.
Reporting of specific incidents must always be carried out with the following principles in mind:
Reporting on aggregated information should use effective methods of communication such as dashboard reports (where a few key indicators are presented with a simple red/amber/green structure); or balanced scorecards. Balanced scorecards can be particularly useful for security since they include an assessment of the causes of incidents. The diagram below provides an example.
Dashboard reports and balanced scorecards can be used to portray either period summary information (such as the number of detected viruses in the preceding month) or trends. In the general case, some combination of the two will be most useful, since it includes an element of absolute measurement (e.g. measuring period figures for attempted accesses to proscribed web sites, but against an agreed target month on month).
Application
The generation of the reports is not an end in itself. Where action is required as a result of a circumstance identified in a monitoring report, there must be a means of ensuring that the action is:
Synchronisation
For any reasonably sized system, analysis of all sources of accounting information as a unified whole will be a considerable task. To avoid this, an end-to-end analysis should be used to determine the information required from each source to meet a specific requirement. This will then also identify the synchronisation and linkages required between sources.
Surveys
In cases where the underlying risk cannot be mitigated entirely satisfactorily, or for particularly sensitive systems, it may be use to consider occasional, in-depth monitoring and audit exercises (such as the CESG Intrusion Detection Survey).
Forensics
Forensics requires very specialised skills and it is therefore recommended that organisations use experts where there is a requirement.
However, forensic readiness planning is strongly recommended. CPNI provide advice in their Technical Note 1/2005.