Easy-to-Manage Audit Trails: an Oxymoron?
Audits constitute a portion of every business, every organization, and every industry. Audit trails help protect the secure, safe, flow of data. By consequence, a weak audit trail causes critical threats to organizations.
Audit trails exist partially to encourage individual accountability while in sensitive environments. Anonymity makes people audacious. If something were to be stolen or compromised, detailed audit trails provide the who/what/when/where/how to catch the culprit. Audit trails also function as a type of technical control. System audits can help identify system performance issues. Application audit trails can find flaws in applications. Administrators can monitor device health and resources. Basically, audits and audit trails keep system vitals in check and make sure nothing fishy is going on. Specific industries have additional audit requirements.
PCI-DSS—Payment Card Industry Data Security Standard—Retail Industry
Any organization which processes payment cards, of any type, must track and monitor all access to network resources and cardholder data, through logging mechanisms.
HIPAA—Healthcare Information Portability and Accountability Act—Healthcare Industry
Organizations in the healthcare industry must backup and retain patient records for an extended period of time, and must monitor access to patient records. Also Section §164.308(a)(1)(ii)(D) of HIPAA states that they must “implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports”.
Sarbanes-Oxley Act of 2002—Financial Industry
This act holds publicly held companies and accounting firms to strict standards in regard to data storage, access, and retrieval. Corporations become responsible for financial reports, and it requires management assessment of internal controls (such as logging and auditing of: network activity, database activity, login activity, user activity, and information access).
UK Data Protection Act of 1998—Consumer Privacy
In order to protect personal data, ensure its accuracy, and safeguard against unlawful processing, the United Kingdom requires “appropriate technical and organizational measures [to be] taken against accidental loss or destruction of, or damage to, personal data.”* That’s exactly what audits and logs do.
With so many laws and requirements in place to audit system access and technical environments, why is there still uncertainty? Organizations with multiple HSMs, who own large data centers, or have data centers dispersed throughout the world may find it difficult to establish an audit routine that meets compliance requirements, is granular, and is easily accessible. Our developers and engineers think like you. Are audits necessary? Yes. Are they fun? No. Can we engineer devices which make this routine more efficient and secure? Absolutely, yes!
The Futurex Guardian9000 fulfills compliance requirements from one central location. Firmware updates and log audits, two items which typically take days to perform at organizations with multiple cryptographic devices spread across multiple data centers, can be performed from one centrally-located device. Authenticated system logs for all connected devices are stored in a central repository, meaning that you immediately know who accessed which device, as soon as they access it. To meet HIPAA requirements, hospitals and other healthcare practitioners can utilize the SAS9000—a secure, high-volume data storage HSM. It provides detailed audit records and the ability to generate customized reports. It easily manages internal and external audits while maintaining complete, authenticated audit log files of all activity and access. Data and logging, as such, can be done in FIPS 140-2 Level 3-compliant technology.
For questions or advice about strengthening your audit trail, contact a Futurex Solutions Architect.