**Views expressed in this blog are my personal views and not those of my employer. Any reference to any living person or organisation, past or present, is entirely co-incidental**
As any blogger is allowed to do, let me play devil’s advocate for a moment.
We may think we speak the same language, and profess to share common objectives with our technology counterparts, but occasionally the chasm opens up between us to reveal just how far apart it is possible to be.
Let me lay before you an example – audit/event logs.
I have engaged in a number of conversations over recent weeks regarding the treatment of system audit logs from a Records Management perspective, in particular regarding retention. I thought it may help to share some of these here in the hope that it may widen the debate.
I started with the difficulty encountered when seeking to define the “what” question – “exactly what you are referring to… help me narrow it down a bit”
“Well”, came the responses, and we began….:
-
Logging security related events, used to identify and track external or internal attacks - Information Security
-
Real time intrusion detection logs – Information Security
-
Recording changes made to a system in a log – Change management
-
The creation of an audit trail down to key stroke level – Investigations / Forensics
-
Identifying policy violations – Information Security
-
Optimising system and network performance – Information Technology
-
Identifying operational trends and long term problems - Information Technology
The picture doesn’t get any clearer when, as you trawl through the Internet looking for that compelling piece of guidance, law or regulation you constantly return the well meaning commentary, which I broadly paraphrase:
-
developing specific recommendations is very difficult because there is no consensus
-
retain activity logs for 3 to 7 years
-
logs are required to be retained for SOX purposes
-
retain as required by local law or regulation……
… you don’t say…
But one thing is clear, amongst the myriad of descriptions and purposes attributed to computer generated logs, there is consensus on a few things across the technology industry:
-
Logs are important – you only need to consider what they could prove or disprove
-
They are big and getting bigger – the logs have a huge propensity to consume storage
-
Some uses are well defined – Information Security for instance
-
Others are less so – for instance the real potential to evidence management control
So what is the answer… these logs started out for administrative purposes but are gradually (well, as gradually as the poles are melting) morphing into something else; something far more challenging and interesting to the Records Manager. Or do we simply fall back on retaining logs indefinitely because they underpin a transaction and ride out all the inevitable arguments regarding storage capacity....or none of the above.
Discuss.
#change #Security #ElectronicRecordsManagement #retention #SOX #auditlogs #eventlogs #regulations #audittrail