As previously indicated, once it has been determined what should be logged,
the analysis process can be determined and established. However, often the
volume of information being captured to the logs makes a manual review of
the logs impossible, at best. Volume has been, in my experience, the
biggest reason why logs are not reviewed on an on-going basis.
When the analysis of the log information is a large enough task, the
analysis should be automated, freeing up valuable human resource time as
well as increasing the accuracy of the data analysis. Importing the log
information into IDEA, ACL, Access, Excel, or other commercially available
software product will aid in the automated analysis of the log file data.
Sometimes analysis is required in real-time mode and sometimes analysis is
needed on a periodic basis, depending on what is being reviewed and/or being
looked for. Again, automation of this analysis will reduce the amount of
time spent by human resources.
As is always the case, there is an up-front cost to setup the automated
analysis. But in my experience, this up-front cost is most often offset by
the reduction in human resources necessary to do the analysis process
manually. And do not forget there is a cost savings to having a more
reliable and functional analysis process -- namely increased security.
Good luck and best regards,
Dale L. Rickard CISA, CDP
Sr. IS Auditor
Office of the City Auditor
City of Colorado Springs
Voice: 719.385.5695
FAX: 719.385.5699
Email: [EMAIL PROTECTED]
-----Original Message-----
From: Lowery, Richard [mailto:[EMAIL PROTECTED]]
Sent: Thursday, 12 December, 2002 9:01 AM
To: [EMAIL PROTECTED]
Subject: RE: Question on Network Logging
Network logs usually capture access, up time, modification attempts, etc.
Adequacy will depend on what the organization is looking for and what they
do with the information once it is received.
Looking at it from this angle, one of the first things that needs to be
determined is why is the organization logging certain things. If they don't
know why they are logging, they probably can not define what an exception
is, and therefore do not know when or what action should be taken.
Richard Lowery
Senior IS Auditor, CISA, CRP
First National Bank of Omaha
[Lowery, Richard] -----Original Message-----
From: James Shannahan [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, December 11, 2002 8:27 AM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: Question on Network Logging
at the general internal controls level, without getting technical, you would
be interested to know what kinds of network activity the organization logs,
and more importantly who reviews the logs and do they take action when
exceptions are noted? logs dont function as controls if no one looks at
them and takes action.....
once you are past the general concepts, based on the organization, there may
be specific logging requirements from their regulatory bodies and from
management or Best Practices, otherwise known as Common Sense.............
for example, if the organization is involved in research and development of
proprietary information, one would reasonably expect greater protection
efforts aimed at that data.........but a sales oriented organization would
make part of its network open to the world in search of new
customers.........and in the public sector, open records laws require access
to records but not their modification.....
so we are back to the old accounting jokes where the punch line is: It
depends.....
James Shannahan, CCP, CSQA, CISA
Sr. Information Systems Auditor
City of Milwaukee (Wisconsin, not North Carolina)
[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
414 286 2382
*neither the Comptroller nor I speak for each other*
>>> Jim Kaplan <[EMAIL PROTECTED]> 12/10/02 9:04:31 PM >>>
An AuditNet user submitted the following question. As I am not a technical
auditor I thought I would pose the question to the list.
I am an internal auditor and have been asked to review the network logging
procedures for adequacy. What kinds of things should a company log and
review?
