A.4. Auditing
An excellent security principle for you to follow to protect your assets is to lock everything down and then watch them as if they were not locked down. If you secure every asset to the best of your abilities, using your available technologies and your available budget, and then watch for the inevitable breach or attempt to breach, you make your deployed security even better. Locking down an asset and then walking away doesn't mean it won't be attacked; it just means you won't know when it is attacked. And you won't know an attack was successful until you return and notice damage or loss.
You should consider auditing, monitoring, logging, and watching all forms of security. They actually prevent many attacks from being attempted in the first place, and they detect any attempt that is made to breach security. Most forms of auditing should be announced to all entities trying to gain entry into your secured environment, the computer network as well as the physical building. You should notify anyone trying to enter your environment that only authorized personnel are allowed to enter, that all actions are recorded and monitored, and that any violation of security policy or law will be prosecuted. This type of sign or banner should be clearly visible at every entry point of your building and at every logon or access point on your public and private IT systems.
Auditing prevents casual attacks and detects intentional attacks. But auditing by itself is not enough. Your audit logs need to be protected against tampering and loss. This protection is required while the log is open and active as well as when it is closed and stored on backup media. Your best choice for storage media for auditing is a write once, read many (WORM) device. WORM devices are designed so that once data is written to them, it cannot be altered by any means short of physical destruction of the storage device itself. If you want your audit logs to be 100 percent accurate, to have perfect integrity, and to be supportable in court, WORM devices are your only choice. Other forms of storage devices allow written data to be altered. If that is even possible, a good defense attorney can cast doubt on the reliability and integrity of the audit details. Your WORM devices should be of sufficient capacity to collect audit logs for a reasonable amount of time. You must protect your WORM devices from theft and physical damage.
You should review your audit logs regularly both by automated means (such as a security auditor or an IDS tool) and by human means. Look for abnormalities or specific violations of security policy. Each incident should be investigated. As you discover issues or weaknesses, take action to prevent reoccurrence or future exploitation.
Audit logs should be backed up and retained—not just for a few months or years, but indefinitely. You never know how far back malicious events reach until they are discovered and investigated. If your retention policy allows for backups to be destroyed after only six months, you could easily be destroying essential evidence against internal and external attackers. This might require a separate backup system for audit logs so that the amount of physical space required to maintain all audit logs does not become too significant of a burden.