The purpose of the audit log management policy is to create, store, and analyse log files with the goal of detecting and responding to any suspicious or abnormal events that may occur within the organisation. It also allows for the prioritising, and remediating of any potential vulnerabilities in enterprise systems and software. The audit log management policy provides the processes and procedures for ensuring logs are created and properly analysed. This policy applies to all departments and all assets connected to the Evercam network.
The Information Technology (IT) department is responsible for all log management functions. Specifically, administrators are responsible for configuring the correct devices to generate, store, and transmit logs. IT is responsible for informing all users of their responsibilities in the use of any assets assigned to them, such as applying updates in a regular manner or restarting their systems. All enterprise assets are required to comply with the enterprise audit logging procedures.
An enterprise-wide strategy must be developed to establish and maintain an audit log process.
This strategy must be documented.
Documentation must be updated annually, or when significant changes have occurred.
The contents of logs must be specified within the secure configuration policy.
Audit logging must be enabled on all enterprise assets, as is practical.
Audit logs must not be disabled on enterprise assets.
Procedures must be developed to move logs from enterprise assets to an audit log datastore.
This may be done manually or via electronic means.
Access controls must be used to prevent audit logs from being modified in an unauthorised manner.
Procedures must be developed to collect audit logs from enterprise assets.
Sufficient storage space must be allocated for audit logs for the period of time required for analysis and retention.
Sufficient space must be allocated to store audit logs on all enterprise assets.
Sufficient space must be allocated to store audit logs on any centralised audit log datastore.
Retention timeframes for audit logs should be in accordance with the enterprise data management process.
Review and Analysis
All high severity events must be acted upon in accordance with the audit log management process.
All audit logs must be stored for a period of time specified by the audit log management process.
Archived logs must be available for analysis.
Disposal of audit logs should be in accordance with the enterprise data management process.