Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« Misquotes and Misinformation on PCI DSS Log Management | Main | Striving For PCI DSS Log Management Compliance Also Helps To Identify Attacks From The Outside »

One Word Makes A World Of Difference...To Auditors and To Practitioners

I want to continue the discussion I started yesterday.

Is there a difference between "log management" and a "log management system"?

Yes!

What is that difference? In a word: SCOPE

In my blog posting yesterday I provided a definition for what is typically considered as a system not only within most businesses, but also as defined by PCI DSS.

First let's go through a "fun" little exercise... :)

  • A home is not the same as a the home's burglar alarm system
  • The game of basketball is not the same as the basketball scoreboard
  • With regard to traffic, freeway management is not the same as a freeway management system

In each of these three examples, the second item listed is a subset of the first item; a home burglar system supports a home, but does not define the entirety of the home, which is, of course, so much more; a basketball scoreboard supports playing the game of basketball, but by itself does not represent the game of basketball; a freeway management system helps to monitor traffic flow and identify problems, but does not, in and of itself, represent all the variables and realtime issues involved with freeway traffic.


Okay, if these examples may seem a bit too facetious, from an auditor view and a practitioner view, then, consider...

  • Human Resources (HR) is not synonymous to an HR system used to manage employee benefits, timecards and paychecks
  • Accounting is not synonymous with an accounting system used to more efficiently keep track of data
  • Building management is not synonymous with a building management system
  • Order/purchasing management is not synonymous with an order/purchasing management system
  • Customer Relationship Management (CRM) is not synonymous to a CRM application and database
  • The HIPAA regulations are not the same as the HIPAA Security Rule Technical requirements

Again, in each example, the second item on each line is a subset of the first item.


An auditor views the phrases "log management" and "log management system" much differently!

If I was asked to audit log management at a company, or a company's log management program, the scope would be much larger than if I did an audit of the log management system.

The log management program audit would include review of the technology system in addition to the log management policies, procedures, documentation, personnel capabilities and job descriptions, training practices and requirements, enforcement of policies and procedures, backup and recovery of the associated data, retention issues, physical access to all involved components within the log management program, and all other critically important human operational, physical and administrative considerations that would fall outside of auditing just the system...the technology...itself.

An information security practitioner also views the phrases "log management" and "log management system" much differently!

If an information security practitioner was asked to build a log management program, s/he would typically do a risk analysis to determine the most appropriate log management policies, log management standards, areas for which logs need to be created, the associated staffing it will take to manage review, interpretation and response to what the logs communicate, the most appropriate log management systems and technologies to use to support the necessary logs, procedures for the staff to follow to consistently create, interpret and react to the logs, the budget issues related to sufficiently supporting the log management program, the training necessary to ensure staff understand and follow the policies, standards and procedures, the disaster recovery and business continuity requirements for the different types of logs based upon their business impact, the retention requirements for the different types of logs, and all other operational, administrative and physical security issues.

If an information security practitioner was asked to build a log management SYSTEM, then it is likely the log management program already exists (if not, it should). S/he would look at the log management program to determine the characteristics that will be necessary within the log management system to best meet the organization's needs. S/he would look as such things as compatibility with existing systems and applications, storage capacity, data item logging capabilities, user interfaces, speed, dependability, configurability, cost, and all other issues specifically related to the technology systems being considered.


Unfortunately I have seen this confusion more than once throughout the years. Too many organizations, when hearing they must establish an information security program, a log management program, a virus control program, a BCP program, and so on, think that all they need to do is buy a "system," install it, and VIOLA! Everything will be hunky dory.

However, the downfall of many organizations is having this belief that only a purchased system is necessary, and not having a well-thought-out comprehensive program that is composed of not only systems to support the program, but also the very critically important policies, procedures, well-trained and qualified personnel, knowledge of legal and contractual requirements, support from business executives, the ability to communicate well and effectively to all their business unit leaders, and so on.


So, yes, "log management" means so very much more than what "log management system" means.

Tags:                            
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on April 7, 2008 11:25 PM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/698

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.