Todd,
"It depends" can cover other questions, too, like the type of log. Some
logs might become too voluminous to set any retention longer than a few
months. Some logs may be covered under relevant regulations to your
industry and function, and some may not.
"It depends" too, on whether the next system level up -- auditing -- can
suffice for documenting your logging process. Are there systems where the
organization can discard the log data and retain the audit process data
instead as your documentation?
I did a rundown some months ago for anything regulatory that may have some
type of requirement or guidance. It's specific to financial services, and
so is not all-inclusive, but it may help others. The record group is more
general than "Logs" but you can read logs into it.
(Don't know how the formatting will translate to the list email format so
take that into consideration when reading.)
Survey of Regulations & Guides for Managing Cyber Security Records
Section I. Laws and Rules
1. The Gramm-Leach Bliley Act of 1999 (GLBA)
· Purpose is the protection of consumers? personal financial
information. GLBA includes three parts: The Financial Privacy Rule, The
Safeguards Rule, and the Pretexting Provisions.
· The Safeguards Rule (16 C.F.R. 314) is the section that pertains
to this survey. It gives general requirements for financial institutions
to develop programs to protect consumer information.
2. Sarbanes-Oxley Act, 2002 (SOX)
· Purpose is to ?protect investors by improving the accuracy and
reliability of corporate disclosures??
· Section 302 requires CEO?s and CFO?s of publically traded
companies to assess and report on the effectiveness of internal controls
around financial reporting. It does not specify which or what type of
controls.
· Section 404 requires a publically traded company to assess the
effectiveness of its internal controls and report their assessment to the
SEC. It does not specify which or what type of controls.
· Several organizations have been created to assist companies with
determining which controls must be put into place and monitored and
reported on to comply with SOX. They are listed in the Guides section of
this document.
3. Health Information Portability and Accountability Act of 1996 (HIPAA)
· Purpose is to protect the privacy and security of certain health
information. It applies to PNC businesses that service healthcare
organizations and process healthcare transactions.
· HIPAA?s Security Rule, Security Standards for the Protection of
Electronic Protected Health Information, was published as a final rule on
February 20, 2003. It establishes a set of security standards for
protecting certain health information, ?while allowing covered entities to
adopt new technologies to improve the quality and efficiency of patient
care.?
· The Security Rule protects all individually identifiable health
information a covered entity, receives, maintains or transmits in
electronic form, called ?electronic protected health information.?
· Technical safeguards required by the Security Rule include Access
Control, Audit Controls, Integrity Controls, and Transmission Security.
· Policies, procedures, and documentation of actions, activities, or
assessments required by the Security Rule are required to be retained for
6 years from the date of its creation or the date when it was last in
effect (45 CFR 164.316).
4. The Health Information Technology for Economic and Clinical Health Act
(HITECH)
· ?Part of the American Recovery and Reinvestment Act of 2009, the
HITECH Act significantly modifies HIPAA by adding new requirements
concerning privacy and security for patient health information. It widens
the scope of privacy and security protections available under HIPAA,
increases the potential legal liability for non-compliance and provides
for more enforcement. ?
· It applies to health care providers, health plans, health
clearinghouses and "business associates," including people and
organizations that perform claims processing, data analysis, quality
assurance, billing, benefits management, etc.
· Records retention not prescribed.
5. Electronic Funds Transfer Act (Regulation E)
· This part applies to any electronic fund transfer that authorizes
a financial institution to debit or credit a consumer's account.
· EFTA Reg E does not specifically address retention of security or
access records. However, the section addressing resolution of errors (12
CFR 205.11) does set a time period of 90 days in which a financial
institution must complete an investigation of its internal records when a
consumer reports a suspected error in an EFT transaction. If the Cyber
Security Team determines that access logs or related security records &
would be part of the documentation needed, then affected logs & related
records should be considered to be retained for a minimum of 90 days.
6. Fair and Accurate Credit Transactions Act of 2003 (FACTA)
· The Red Flags Rule establishes new provisions within FACTA
requiring financial institutions, creditors, etc. to develop and implement
an identity theft prevention program.
· It is up to each financial institution to determine what elements
will be in its identity theft prevention program. To that end, an
organization would determine which, if any, of its records, information,
or data apply.
· FACTA does not contain any requirements specific to retention of
program development, implementation, or monitoring records.
7. Interagency Guidelines Establishing Information Security Standards
· ?The Guidelines apply to customer information maintained by or on
behalf of entities over which the OCC has authority.?
· The text of the Guidelines is the same as the GLBA Safeguard Rule.
Identical sets of Guidelines are published separately under the following
regulatory agencies: 12 C.F.R. part 30, app. B (OCC); 12 C.F.R. part 208,
app. D-2 and Part 225, app. F (FRB); 12 C.F.R. part 364, app. B (FDIC); 12
C.F.R. part 570, app. B (OTS); 12 C.F.R. part 748, appendix A (NCUA); and
16 C.F.R. 314 (FTC). Implementing these guidelines apparently satisfies
the information security requirements of GLBA, FACTA, and related
regulations: These guidelines ?set forth standards pursuant to section 39
of the Federal Deposit Insurance Act (section 39, codified at 12 U.S.C.
1831p?1), and sections 501 and 505(b), codified at 15 U.S.C. 6801 and
6805(b) of the Gramm-Leach Bliley Act. These Guidelines also address
standards with respect to the proper disposal of consumer information,
pursuant to sections 621 and 628 of the Fair Credit Reporting Act (15
U.S.C. 1681s and 1681w).?
· The Guidelines provide high-level, general requirements only. They
do not specify retention of records of security program development,
implementation, or monitoring.
· Original deadline of program implementation: July 1, 2001.
Section II. Standards and Guides
1. SOX Guidance
· Public Company Accounting Oversight Board (PCAOB) ? created by the
Act to oversee and guide auditors who assess a company?s compliance with
SOX. Publishes Proposed Auditing Standards for assessing compliance. A
2004 Standard states that internal controls assessment should include
information technology general controls. It does not specify any specific
information technology controls.
· Committee of Sponsoring Organizations of the Treadway Commission
(COSO) ? A framework of internal controls guidance approved by the PCAOB.
The COSO framework is not required for SOX compliance, but using it or
something similar is considered to be an effective program for compliance.
COSO includes general guidance on information security controls, control
environment, risk assessment, control activities, and information &
communication, and monitoring.
· Control Objectives for Information and Related Technology (COBIT)
? A framework created for more specific guidance for creating and
assessing Technology controls. The COBIT framework addresses 34
Technology processes from strategic planning to implementation, production
support, and monitoring, grouped into four categories
1. Planning & Organization
2. Acquisition & Implementation
3. Delivery & Support
4. Monitoring
· Information Technology Governance Institute (ITGI) ? Used COSO and
COBIT to create a set of specific Technology control objectives for SOX.
The ITGI general control objectives address security, and break security
down into sub-topics:
1. Security Policy
2. Security Standards
3. Access and Authentication
4. Network Security
5. Monitoring
6. Segregation of Duties
7. Physical Security
2. Payment Card Industry Data Security Standard (PCI DSS)
Developed by the Security Standards Council, its purpose is to ?encourage
and enhance cardholder data security and facilitate the broad adoption of
consistent data security measures globally.?
Records Retention recommendations in the Standard:
· Requirement 9: Restrict physical access to cardholder data.
· 9.4 Retain visitor logs for 3 months.
· Requirement 10: Track and monitor all access to network resources
and cardholder data.
· 10.7 Retain audit trail history for at least one year, with a
minimum of three months immediately available for analysis (for example,
online, archived, or restorable from back up).
3. NIST SP 800-66 An Introductory Resource Guide for Implementing the
Health Insurance Portability and Accountability Act (HIPAA) Security Rule.
· Developed for use by federal agencies, it may also be used by
nongovernmental organizations on a voluntary basis. It is not a statute or
rule, nor a requirement for non-federal organizations.
· Section 4 addresses safeguards, including access and audit
controls.
· Section 4.22 sets a six year retention for documentation of
policies, procedures, actions, activities or assessments required by the
HIPAA Security Rule.
4. NIST Special Publications Series 800 ? Computer Security
· ?Special Publications in the 800 series present documents of
general interest to the computer security community. The Special
Publication 800 series was established in 1990 to provide a separate
identity for information technology security publications. This Special
Publication 800 series reports on ITL's research, guidelines, and outreach
efforts in computer security, and its collaborative activities with
industry, government, and academic organizations.?
· Though none deal exclusively with managing security records, some
address topics that touch on issues that are shared with the records
management space, for examples NIST SP 800-88 Guide to Computer Security
Log Management, and NIST SP 800-88 Guidelines for Media Sanitation.
Gary Link
Pittsburgh, PA
[log in to unmask]
The contents of this email are the property of PNC. If it was not addressed to you, you have no legal right to read it. If you think you received it in error, please notify the sender. Do not forward or copy without permission of the sender. This message may contain an advertisement of a product or service and thus may constitute a commercial electronic mail message under US Law. The postal address for PNC is 249 Fifth Avenue, Pittsburgh, PA 15222. If you do not wish to receive any additional advertising or promotional messages from PNC at this e-mail address, click here to unsubscribe: http://pages.e.pnc.com/globalunsub/
By unsubscribing to this message, you will be unsubscribed from all advertising or promotional messages from PNC. Removing your e-mail address from this mailing list will not affect your subscription to alerts, e-newsletters or account servicing e-mails.
List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance
To unsubscribe from this list, click the below link. If not already present, place UNSUBSCRIBE RECMGMT-L or UNSUB RECMGMT-L in the body of the message.
mailto:[log in to unmask]
|
