ITGC: Guidelines for Auditing System, Application, and Database Logs

As organizations continue to digitize, the security, integrity, and compliance of information systems become critical. Logs that meticulously record all activity within systems, applications, databases, and other organizational assets are essential. They are critical for identifying and resolving problems, preventing fraud, detecting intrusions, and complying with regulations.

However, effective log management is a complex task that requires a systematic and rigorous approach. This is where Information Technology General Controls (ITGC) auditing becomes a key component. A comprehensive ITGC audit should consider several aspects related to the scope of work with logs and audit trails.

Here is a practical roadmap for this process.

1. Log Record Policies and Procedures

Ensure that there are formalized policies and procedures for the creation, review, retention, and deletion of logs. These should detail who is responsible for reviewing logs, how often they are reviewed, how the logs are stored and supported, and how long the logs are retained.

1.1 Log policies: Confirm the existence of formal logging policies that cover all relevant systems and applications. The policies should specify:

  • What types of activity should be logged;
  • Who can access and review the logs;
  • How and for how long the logs should be stored;
  • Procedures for responding to security events detected in the logs.

1.2 Logging Procedures: Evaluate whether the logging procedures are consistent with established policies. The procedures should detail:

  • How the logs are generated and where they are stored;
  • How the logs are protected from unauthorized modification and deletion;
  • How often the logs are reviewed and who is responsible for doing so;
  • How incidents detected in the logs are recorded, communicated, and resolved;
  • The circumstances under which logs may be deleted and who has the authority to do so.

1.3 Compliance with Regulatory Standards: Logging policies and procedures must comply with applicable standards and regulations (e.g., Central Bank of Brazil, LGPD, GDPR, HIPAA, PCI DSS, SOX, etc.). Ensure that policies and procedures are updated to reflect the latest regulations.

1.4 Training and Awareness: Confirm the existence of regular training and awareness programs to ensure that all relevant employees understand and comply with log policies and procedures.

1.5 Internal audits: Verify that regular internal audits are conducted to assess compliance with the log policies and procedures. The results of internal audits should be documented and communicated to stakeholders, and any nonconformities should be followed up with an action plan with remediation dates.

1.6 Response to security incidents: Verify that processes are in place to appropriately respond to security incidents identified in the logs. This should include the identification, classification, response, and recovery of incidents, as well as preventive measures to prevent recurrence.

1.7 Trend Analysis: Evaluate whether the organization performs regular trend analysis to identify unusual or suspicious patterns in the logs that may assist in the detection of malicious activity or system failures.

The review of log policies and procedures is only one component of an ITGC audit. Other areas such as physical and logical security, change management, backup, and disaster recovery should also be considered.

2. Log Record Generation

Ensure that all relevant systems and applications are configured to generate log records of activity. Such records should include, but are not limited to, access attempts (successful and unsuccessful), assignment of administrative privileges, access to sensitive information, and changes to the system or system parameters.

2.1 Logging Configuration: Logging should be enabled on all relevant systems, applications, databases, and network devices, which may include servers, databases, firewalls, and intrusion detection/prevention systems. Ensure that the log record configuration is consistent with the policies and procedures established by the organization.

2.2 Log Record Content: Each log record should store sufficient information to enable the identification and analysis of suspicious or unauthorized activity. At a minimum, log entries should include: the date and time of the event; details of the user or system that triggered the event; a description of the event; the outcome of the event (success or failure); and any other relevant context.

2.3 User Activity Log Records: Ensure that log records are generated for key user activities. This includes access attempts (successful and failed), configuration changes, access to sensitive files or data, permission changes, and more.

2.4 System and network activity logs: It is also important that log records are generated for system and network events. These include system startups and shutdowns, network configuration changes, and incoming and outgoing connection attempts.

2.5 Error and failure logs: Ensure that log records are generated for errors and failures that may indicate security or performance problems, such as software failures, hardware failures, or excessive resource usage.

2.6 Log record format: The log record format should allow for easy analysis and review. Using standardized formats (such as the syslog format) can facilitate integration with log analysis tools.

2.7 Log record timestamps: Verify that all log records are timestamped and that the system clock is synchronized across all systems and devices to ensure timestamp accuracy.

2.8 Log Record Integrity: It is important to protect the integrity of log records to prevent unauthorized changes. Techniques such as writing log records to a read-only system or storage medium, using log hashes, digital signatures, and others can be employed.

2.9 Backup log records: Ensure that log records are backed up regularly and that these backups are stored in a secure location to ensure that log records can be recovered in the event of system failure or data loss.

The appropriate configuration for generating log records may vary depending on the specific needs of the organization, regulatory requirements, and the nature of the systems and applications in use.

3. Proactive analysis of log and access records

Proactive monitoring of log and access records is essential to ensuring information security. It is critical that the organization strive to identify suspicious patterns and irregularities before they develop into more serious problems.

3.1 Frequency of Analysis: The frequency with which log and access records are analyzed may depend on the nature of the business, as well as the size and complexity of the IT environment. However, for effective security management, these analyses should be performed on a regular basis.

3.2 Analyze in detail: Ensure that log and access record analyses are thorough and detailed, including aspects such as user name, logon timestamp, successful and unsuccessful logon attempts, privilege changes, etc.

3.3 Automate log record analysis: Consider using automated tools to assist in the analysis of log records. These tools can identify anomalous patterns and generate alerts to facilitate the analysis process.

3.4 Identify suspicious activity: Look for attempts to access unauthorized resources or data, logins outside of normal working hours, attempts to access from unusual locations, and any other behavior that appears abnormal.

3.5 Trend Analysis: Trend analysis of log and access records can provide valuable insight into user work practices and help identify potential security threats or compliance violations.

3.6 Documentation: All activities related to log record analysis, findings, and actions taken should be fully and accurately documented for future audits and to maintain an information security history.

3.7 Incident Response: If log and access record analysis reveals a security incident, it is critical that an incident response plan is ready to be implemented. This plan should include incident identification, containment, root cause elimination, recovery, and post-incident review.

3.8 Focus on privileged accounts and critical transactions: The analysis should pay particular attention to accounts with elevated privileges, critical system transactions, and direct access to or modification of data in databases.

Proactive analysis of log and access records is a critical part of an organization’s IT security practices because it enables rapid identification and response to any suspicious or irregular activity.

4. Access and privilege management

Ensure that records exist to track attempts to assign administrative privileges to various accounts. Also ensure that there are sufficient records to monitor access attempts, especially for accounts with high privileges.

4.1 Access and privilege policies: The organization should have clear policies for assigning and managing access and privileges. Confirm that these policies detail who can access what, under what circumstances, and who is authorized to grant or change privileges.

4.2 Privilege assignment: Evaluate how privileges are assigned. Ideally, the principle of least privilege should be followed, meaning that users should only be granted the privileges they need to perform their jobs.

4.3 Privileged accounts: Pay special attention to accounts with high privileges, such as administrator or superuser accounts (e.g., “root”). Review how these accounts are protected and monitored, and whether their use is justified and properly documented.

4.4 Periodic access reviews: Organizations should conduct periodic reviews of access privileges to ensure that they remain appropriate. Ensure that such reviews are performed and that changes to access are properly authorized and documented.

4.5 Record access activities: Ensure that access activity is properly recorded, including both successful and unsuccessful access attempts and any changes to access privileges.

4.6 Segregation of Duties (SoD): Segregation of duties is an important practice for preventing fraud and errors. It means that no one person should have total control over a critical process or function. Confirm that the SoD policy is in place and being followed.

4.7 Access to log records: Who has permission to access and review log records should be strictly controlled to prevent the possibility of unauthorized modification or deletion of records. Ensure that these privileges are properly configured and monitored.

4.8 Training and Awareness: Ensure that regular training and awareness programs are conducted to ensure that all relevant employees understand and comply with access and privilege policies and procedures.

Effective access and privilege management is critical to information security. Records can provide valuable insight into an organization’s access and privilege management practices.

5. Monitoring invalid access attempts

Verify that the system logs and alerts about invalid access attempts, such as repeated failed logon attempts.

5.1 Logging of failed access attempts: The organization should have a system capable of recording all invalid access attempts, whether at the system, application, or network level. These records should include information about the origin of the attempt, the time, the user account involved, and any relevant error details.

5.2 Analyze invalid access attempts: The information security team or responsible person should periodically evaluate records of failed access attempts to identify potential threats or vulnerabilities. This may include detecting repeated access attempts from a single source, which may indicate a brute force attack.

5.3 Invalid access alerts: The system should be capable of issuing real-time or near real-time alerts for invalid access attempts. Such alerts allow for rapid response to potential security threats.

5.4 Response to invalid access attempts: The organization must have an action plan for handling invalid access attempts. This may include investigating the incident, taking steps to block access at the source, and reviewing security policies and procedures as necessary.

5.5 Account lockout policies: Review the account lockout policies implemented to prevent repeated invalid access attempts. The policy should specify how many invalid attempts will be tolerated before the account is locked and the procedure for unlocking the account.

5.6 Security training and awareness: Employees should be trained to recognize and report invalid access attempts. This may include recognizing phishing emails, the safe use of login credentials, and the importance of notifying the information security team of any suspicious activity.

5.7 Periodic reviews: Perform periodic reviews of invalid access attempts and the organization’s responses to ensure that the monitoring system is working effectively.

The monitoring of denied access attempts is a key component of information security. It can help detect attacks in progress, identify vulnerabilities, and protect the organization from data loss or service disruption.

6. Historical access assessment

Perform a historical analysis of accesses to the production environment to ensure that all were properly authorized and that records exist for each.

6.1 Collect access log records: Ensure that the organization properly collects and stores access logs. This includes information such as who tried to access the system, when, from where, and whether or not the attempt was successful.

6.2 Access pattern analysis: The organization should periodically analyze access patterns over time. Such analysis can reveal valuable information such as unusual resource usage, access attempts outside of normal working hours, or use of inactive accounts.

6.3 Review access rights: A periodic review of each user’s access rights should be conducted to ensure that each individual has only the level of access necessary for their role. This is especially important for users with high privileges, such as administrators.

6.4 Monitoring dormant and privileged accounts: Inactive accounts (not used for an extended period of time) and privileged accounts (with access to sensitive information or the ability to make significant system changes) should be closely monitored. Any activity on these accounts should be investigated.

6.5 Reconciliation with the Authorized Access List: Access records should be periodically compared to the authorized access list. Any unauthorized access should be investigated and corrective action taken.

6.6 Review access changes: Any changes to a user’s access privileges, such as the granting or revocation of privileges, should be recorded and analyzed. Such changes should be approved by a responsible person who is different from the person who made the change.

6.7 Response to Unauthorized Access: The organization should have a response plan to deal with unauthorized access when it is discovered. This may include investigating the incident, implementing corrective actions, and reviewing security policies.

Historical access analysis is a critical component of information security and access control. It helps identify suspicious patterns of behavior, protect against unauthorized account use, and ensure that all users have only the level of access necessary for their jobs.

7. Log Record Deletion Management

Ensure that there are clear policies and procedures for deleting log records, including who is authorized to delete these records and under what circumstances they may be deleted.

7.1 Log Record Retention Policy: It is essential that the organization has a well-defined log retention policy. This policy should specify how long records are retained before they are deleted and how this deletion is to be performed securely. In addition, the policy must comply with all relevant privacy and security regulations.

7.2 Secure deletion procedures: Procedures for secure deletion of log records must be established and strictly followed to prevent unauthorized recovery of information. Secure deletion typically includes multiple overwriting of data or physical destruction of storage devices.

7.3 Prevent premature deletion: Ensure that mechanisms are in place to prevent the premature deletion of records. This may include implementing access controls to protect against unauthorized modification or deletion of log records.

7.4 Backup log records: Before deleting records, it is important that they are properly backed up and stored in accordance with the retention policy. Backups should be performed regularly and tested to ensure that they can be recovered if necessary.

7.5 Log deletion records: Each log deletion should be recorded, including who performed the deletion, when, and for what reason. This provides an audit trail to verify that the log deletion policy was followed correctly.

7.6 Review Log Deletions: Log record deletions should be reviewed periodically to ensure that they comply with the established policy and that no records are deleted prematurely or without proper authorization.

7.7 Employee Training: Employees must be trained on the log record retention policy and the procedures for securely deleting log records. They must also be made aware of the consequences of unauthorized deletion of records.

Managing the deletion of log records is an important part of records management. However, it is critical that it is done in a controlled and secure manner. Failure to do so can result in the loss of valuable information or violations of privacy and security standards.

8. Log Record Protection and Security

Review the security of log records, including how they are stored, who has access to them, and what safeguards are in place to prevent unauthorized modification or deletion.

8.1 Encrypt log records: Records containing sensitive data should be encrypted, either in transit or at rest, to prevent unauthorized access. The organization should use robust encryption algorithms and appropriate key management.

8.2 Access Control to Logs: Access to log records should be strictly controlled and based on the principle of least privilege. Only authorized personnel should have access to the logs, and that access should be limited to what is strictly necessary for their job functions.

8.3 Log Access Monitoring: Access activity to log records must be monitored and recorded to detect any suspicious or unauthorized activity. Any irregular access to the logs should be investigated immediately.

8.4 Secure Log Storage: Log records should be stored in secure and protected locations. This may include the use of secure storage systems and the implementation of physical safeguards to prevent unauthorized access.

8.5 Protect against modification: It is necessary to protect log records from unauthorized modification. This can be achieved through measures such as the implementation of access controls, the use of digital signatures, and the use of file integrity tools.

8.6 Disaster recovery and business continuity: It is essential that plans are in place to recover log records in the event of a disaster. This may include the use of regular backups and system redundancy.

8.7 Privacy Compliance: Log record protection processes should comply with all relevant privacy and security regulations, including requirements for handling personal and sensitive data.

8.8 Log Security Audits: Periodic audits should be conducted to verify the effectiveness of log record protection measures. This should include reviewing policies and procedures, verifying compliance, and performing penetration testing or vulnerability assessments.

Ensuring the protection and security of log records is critical to maintaining data integrity and trust in an organization’s IT infrastructure.

If you have any questions or would like to contribute to this topic, feel free to use the comment box below 🙂

* * * * *

Deixe uma resposta:

Seu endereço de e-mail não será publicado.

Esse site utiliza o Akismet para reduzir spam. Aprenda como seus dados de comentários são processados.