FFIEC Compliance

Implement a prudent set of security controls (e.g., password and audit policies), audit trails of security and access changes, and user activity logs for all applications.

Log files are critical to the successful investigation and prosecution of security incidents and can potentially contain sensitive information. Intruders often attempt to conceal unauthorized access by editing or deleting log files. Therefore, institutions should strictly control and monitor access to log files whether on the host or in a centralized logging repository. Considerations for securing the integrity of log files include the following:

• Encrypting log files that contain sensitive data or that are transmitted over the network.
• Ensuring adequate storage capacity to avoid gaps in data gathering. Securing backup and disposal of log files.
• Logging the data to a separate, isolated computer.
• Logging the data to read-only media.
• Setting logging parameters to disallow any modification to previously written data.
• Restricting access to log files to a limited number of authorized users.
• Additionally, logging practices should be reviewed periodically by an independent party to ensure appropriate log management.

Logs are voluminous and challenging to read. They come from a variety of systems and can be difficult to manage and correlate. Security information and event management (SIEM) systems can provide a method for management to collect, aggregate, analyze, and correlate information from discrete systems and applications. Management can use SIEM systems to discern trends and identify potential information security incidents. SIEM systems can be used to gather information from the following:

• Network and security devices and systems. Identity and access management applications.
• Vulnerability management and policy compliance tools.
• Operating system, database, and application logs.
• Physical and environmental monitoring systems.
• External threat data.

Regardless of the method of log management, management should develop processes to collect, aggregate, analyze, and correlate security information. Policies should define retention periods for security and operational logs. Institutions maintain event logs to understand an incident or cyber event after it occurs. Monitoring event logs for anomalies and relating that information with other sources of information broadens the institution’s ability to understand trends, react to threats, and improve reports to management and the board.