25-03-05

log retention - the next frontier

these are the international laws and regulations you will have to comply with, even if you are not an US based firm, having contacts with US institutions, citizens or firms is enough
 

It is also important to have someone knowledgeable of the relevant laws, regulations, and agreements which pertain to your site participate in policy creation and audits. Examples of VISA CISP, SOX, GLBA, FFIEC, Basel II, HIPAA. NISPROM, NERC, Italian Personal Data Protection Code Legislative Decree no. 196 of 30

The Basel II Accord - Affects international banks. Effective 2006. Activity logs should be retained 3-7 years

Federal Financial Institutions Examination Council (FFIEC) - Affects financial institutions governed by the Federal Reserve, FDIC, etc. Specifies historical retention.

Gramm-Leach-Bliley Act (GLBA) - Affects entities that participate in financial institution activities.

The Health Insurance Portability and Accountability Act (HIPAA) - Affects healthcare industry. Logs should be retained up to 6 years.

North American Electric Reliability Council (NERC) - Affects electric power providers. Specifies log retention for 6 months and audit record retention for 3 years.

National Industrial Security Program Operating Manual (NISPOM) - Specifies log retention of at least one year.

The Sarbanes-Oxley Act (SOX) - Affects US Corporations. Specifies retaining audit logs for up to seven years.

VISA Cardholder Information Security Program (CISP) - Specifies retaining audit logs for at least six months.

source Internet Storm Center

Keeping logs safely is a very costly matter that should be studied as a very serious matter if your organisation is little big bigger than 20 members

Even selecting what to log where is a problem that can bring your whole system or network down, because it can clog everything very quickly down


17:01 Gepost door technology changes fast not a lot | Permalink | Commentaren (0) |  Facebook |

De commentaren zijn gesloten.