Log Management & ISO 27001 Annex: A.12.4

ISO/IEC 27001 is an international standard on how to manage information security. The ISO 27000 family is very broad, designed to help a wide range of industries solve their information security needs. One specific section is Annex 12.4 which speaks specifically to the importance of log management when managing your information systems.

Annex ID	Title	Control
A.12.4.1	Event logging	Event logs should be produced, retained, and regularly reviewed to record user activities, exceptions, defects, and information security events.
A.12.4.2	Protection of Log Information	Logging and log information should be secure from intrusion and unauthorized access.
A.12.4.3	Administrator and Operator Logs	The activity of the System Manager and System Operator is to be logged and the logs kept safe and monitored closely.
A.12.4.4	Clock Synchronization	Clocks in all related information management systems should be integrated into a single reference time source for an organization or safety domain.

Each of the controls identified above have corresponding implementation guides, the following outlines each:

A.12.4.1: Event logging

Where applicable, event logs should include:

1. IDs of User;
2. Activities of the system;
3. dates, times and key events details, such as log-on and log-off;
4. System ID or location and device recognition where possible;
5. records of the attempts to access the system successfully as well as rejected ones successful and unsuccessful data records and other attempts to access resources;
6. system configuration alterations;
7. utilization of privileges;
8. the application and use of systems utilities;
9. Accessed files and access kinds;
10. network addresses and protocols;
11. Entry management system warnings.
12. Protective mechanisms such as anti-virus and intrusion detection systems are activated and deactivated as required;
13. Transaction records done in applications by users.

Event logging inspires automatic control systems capable of producing integrated network monitoring notifications and warnings.

Other information - Sensitive information and personally identifiable information can be used in event logs. Proper measures in the field of privacy should be implemented.

System administrators should not be allowed to delete or deactivate logs of their own activities where possible.

A.12.4.2: Protection of Log Information

Controls should be designed to protect against unauthorized log information changes and operational logging problem, including the following:

1. Alterations to the types of messages recorded;
2. Editing or removing log files;
3. The logfile media storage space is surpassed, which means either that an event is not registered or that the past events have been over-written.

Certain audit logs may require archiving as part of the retention of records or as a result of collecting evidence and retention requirements.

Other information - System logs also contain a large amount of information, which is largely unique to monitoring information security. The copying automatically to a second log of relevant message types or the use of suitable device utilities or auditing tools to perform file interrogations and rationalizing should be considered to help classify significant events for information security monitoring.

A.12.4.3: Administrator and Operator Logs

The logs of the information processing facilities that be manipulated under their direct control by Private user account holders, so it is important to keep logs safe and reviewed to ensure the privileged users are kept accountable.
Certain audit logs may require archiving as part of the retention of records or as a result of collecting evidence and retention requirements.

Other information - A non-controlling system and network administrators can be used to monitor compliance activities of the system and the network management.

A.12.4.4: Clock Synchronization

Documentation of external and internal time representation requirements, synchronization, and precision. These may be legal, regulatory, contractual, standardized, or internal monitoring requirements. A standard reference time should be defined for use inside the organization.

The organization approach should be documented and implemented to obtain a reference time from an external source and the way internal clocks can be synchronized reliably.

Other information - Correct clock settings are essential to ensure that audit reports, which may be used for investigation or as proof in legal or disciplinary proceedings, are reliable. Inaccurate audit logs can impede such inquiries and damage their credibility. The main clock for logging systems can be used as a clock linked to the radio time from a national atom. To maintain all servers in sync with the master clock, a network time protocol can be used.

Trunc Helps With Log Management

With Trunc, organizations are able to easily send all their logs to one centralized location. From there, their teams can easily access, analyze and parse the logs as needed. It also provides a mechanism to ensure the integrity of the logs, making it impossible for users and bad actors to modify and ensuring you have a source of truth in the event of an incident.