Sample Log Management Policy Template
Contents
Log management can be of great benefit in a variety of scenarios, with proper management, to enhance security, system performance, resource management, and regulatory compliance.
{COMPANY-NAME} will perform a periodic risk assessment to determine what information may be captured from the following:
- Access – who is using services.
- Change Monitoring – how and when services were modified.
- Malfunction – when services fail.
- Resource Utilization – how much capacity is used by services.
- Security Events – what activity occurred during an incident, and when.
- User Activity – what people are doing with services.
Free Security Policy Templates
Get a step ahead of your cybersecurity goals with our comprehensive templates.
Overview
Most components of the IT infrastructure at {COMPANY-NAME} are capable of producing logs chronicling their activity over time. These logs often contain very detailed information about the activities of applications and the layers of software and hardware that support those applications.
Logging from critical systems, applications, and services can provide key information and potential indicators of compromise and is critical to have for forensics analysis.
Policy Detail
Log Generation
Depending on the volume of activity and the amount of information in each log entry, logs have the potential of being very large.
Information in logs often cannot be controlled by application, system, or network administrators, so while the listed items are highly desirable, they should not be viewed as absolute requirements.
Application Logs
Application logs identify what transactions have been performed, at what time, and for whom. Those logs may also describe the hardware and operating system resources that were used to execute that transaction.
System Logs
System logs for operating systems and services, such as web, database, authentication, print, etc., provide detailed information about their activity and are an integral part of system administration. When related to application logs, they provide an additional layer of detail that is not observable from the application itself.
Service logs can also aid in intrusion analysis, when an intrusion bypasses the application itself.
Change management logs, that document changes in the IT or business environment, provide context for the automatically generated logs. Other sources, such as physical access or surveillance logs, can provide context when investigating security incidents.
Client workstations also generate system logs that are of interest, particularly for local authentication, malware detection, and host-based firewalls.
Network Logs
Network devices, such as firewalls, intrusion detection/prevention systems, routers, and switches are generally capable of logging information. These logs have value of their own to network administrators, but they also may be used to enhance the information in application and other logs.
Many components of the IT infrastructure, such as routers and network-based firewalls, generate logs. All of the logs have potential value and should be maintained. These logs typically describe flows of information through the network, but not the individual packets contained in that flow.
Other components for the network infrastructure, such as Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) servers, provide valuable information about network configuration elements, such as IP addresses, that change over time.
Time Synchronization
One of the important functions of a log management infrastructure is to relate records from various sources by time. Therefore, it is important that all components of the IT infrastructure have synchronized clocks. {COMPANY-NAME} uses Network Time Protocol (NTP) for time synchronization.
Use Of Log Information
Logs often contain information that, if misused, could represent an invasion of the privacy of members of {COMPANY-NAME}. While it is necessary for {COMPANY-NAME} to perform regular collection and monitoring of these logs, this activity should be done in the least invasive manner.
Baseline Behavior
It is essential that a baseline of activity, within the IT infrastructure, be established and tracked as it changes over time. Understanding baseline behavior allows for the detection of anomalous behavior, which could indicate a security incident or a change in normal usage patterns. Procedures will be in place to ensure that this information is reviewed on a regular and timely basis.
Log record Lifecycle Management
When logs document or contain valuable information related to activities of {COMPANY-NAME}’s information resources or the people who manage those resources, they are {COMPANY-NAME} Administrative Records, subject to the requirements of {COMPANY-NAME} to ensure that they are appropriately managed and preserved and can be retrieved as needed.
Log Management Infrastructure
A log management infrastructure will be established to provide common management of log records. To facilitate the creation of log management infrastructures, system-wide groups will be established to address the following issues:
- Technology solutions that can be used to build log management infrastructures
- Typical retention periods for common examples of logged information
Retention
To facilitate investigations, as well as to protect privacy, the retention of log records should be well defined to provide an appropriate balance among the following:
- Confidentiality of specific individuals’ activities
- The need to support investigations
- The cost of retaining the records
Care should be taken not to retain log records that are not needed. The cost of long- term retention can be significant and could expose {COMPANY-NAME} to high costs of retrieving and reviewing the otherwise unneeded records in the event of litigation.
Article by
Jason Firch, MBA
Jason is a proven marketing leader, veteran IT operations manager, and cybersecurity expert with over a decade of experience. He is the founder and CEO of PurpleSec.
Jason Firch, MBA
Jason is a proven marketing leader, veteran IT operations manager, and cybersecurity expert with over a decade of experience. He is the founder and CEO of PurpleSec.
Share This Page
Our Editorial Process
Our content goes through a rigorous approval process which is reviewed by cybersecurity experts – ensuring the quality and accuracy of information published.
Categories
The Breach Report
Our team of security researchers analyze recent cyber attacks, explain the impact, and provide actionable steps to keep you ahead of the trends.
Related Templates
An acceptable use policy outlines the use of computer equipment. Inappropriate use exposes the company to risks including virus attacks, compromise of network systems and services, and legal issues.
This policy defines the requirement for reporting and responding to incidents related to the company’s information systems and operations
A penetration testing policy provides guidance for managing a penetration testing program and performing penetration testing activities with the goal of improving defensive IT security
The purpose of an internet usage policy is to establish the rules for the use of company Internet for access to the Internet or the Intranet.
The company must prioritize its assets and protect the most critical ones first; however, it is important to ensure patching takes place on all machines.
