corporate security

Note-to-self: SOC2 mapping to ISO27001

Just in case you get into SOC2 and want to know how to map it to existing information security implementation, whatever it may be, GDPR, ISO27001, NIST, … check this page

https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/mappingsrelevanttothesocsuiteofservices.html

It includes:

These links have nice XLS format sheets, with a bidirectional comparison between the frameworks.

Info on SOC1/SOC2/SOC3

https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/sorhome.html

SOC and SOX?

 SOC reports refer to an audit of internal controls to ensure data security, minimal waste, and shareholder confidence; SOX relates to government-issued record keeping and financial information disclosure standards law. In other words, one is about keeping information safe, and the other is about keeping corporations in check.

https://immedis.com/blog/what-are-the-key-differences-between-soc-and-sox/

https://www.logicgate.com/blog/a-comparison-of-soc-and-sox-compliance/

Also

https://linfordco.com/blog/soc-2-security-vs-iso-27001-certification/

(braindump article, still in progress)

CCSP and CCAK, not versus: build your cloud security expertise path based on your needs.

Last week (ISC)² published a blog post on the choice between CCSP and CCAK.

You can find it here: https://www.isc2.org/articles/CCSP-versus-csa-ccak.

“What is the right certification for you?”

The main title of the (ISC)² article on CCSP vs CCAK is “CCSP Certification vs. CCAK Certificate: What Are the Distinctions?”

That’s exactly what you get. A list of technical differentiators between CCSP and CCAK, but according to (ISC)².

But if you hope to get an actual answer to what the right certification is, for you… they forget to ask …you.

What do you think would be the conclusion, if you ask that question to either one of the contestants while you compare 2 certifications? Of course each party will simply draw the conclusion that their own certification is the best choice.

To answer the most important question, the dilemma CCSP or CCAK, is simple: do you need technical or audit skills for cloud security?

The answer

In essence, the answer is simple:

  • if you need cloud audit skills, dive in to the Cloud Security Alliance (CSA) and ISACA Certificate CCAK.
  • if you want to have architect level technical cloud expertise and knowledge, choose CCSP
  • if you want cloud security knowledge, in basic or advanced hands-on, there are other choices to start with (more about it below)

So, if you ask the question “what is the right certification for you”, you immediately know that there is no right answer, but there are many options.
Options for a multi level expertise roadmap in cloud security, based on your current skills and your future goals.

If you like a tough challenge: why not jump into the CCAK or CCSP, CCSP or CCAK, whatever, right away.

But if you would like to boost your chance of success… take a deep breath and better plan smartly.

And don’t start with CCSP/CCAK, but prepare your track towards CCSP/CCAK first.

First some background to plan your roadmap

Setting expectations

Just to set expectations, this article only focuses on the personal education and certification options, offered by (ISC)², ISACA and CSA. Including other education provider would lead us too far.
There are way more other (cyber)security certifications available, but we focus on the cloud security track, which limits the options…

Feel free to comment with other options for cloud security training. I’ll update the article where relevant.

CSA CCSK

The Cloud Security Alliance launched the CCSK in 2011. And as they explained here, “the CCSK was quite literally the industry’s first examination of cloud security knowledge when it was released back in 2011. “

The CCSK is an easy entry, high level introduction to Cloud Security, and it doesn’t require you to have deep technical cloud security expertise.

But it still is a nice baseline for the cloud security essential knowledge.

(ISC)² – CCSP

In short: CCSP = CISSP [by (ISC)²]+ CCSK [by CSA]

The long version is explained in the (ISC)² article comparing CCSP and CCAK.

  • CCSP = Certified Cloud Security Professional
  • You need at least five years of cumulative, paid work experience
  • CCSP is pretty much the same level of difficulty as CISSP, but has focus on cloud security.

The CCSP was launched in 2015, as a cooperation between (ISC)² and CSA. (see CSA press release here), a couple years after the CCSK launch in 2011.
The CCSP is the bigger brother of the CCSK, more advanced, and as CSA rightfully mentions in there CCSK-CCSP comparison blog, the CCSP is on the level of CISSP with a major cloud flavor.

That’s where the dummy math description comes from…

CCSP = CISSP + CCSK.

But CCSP certainly is not an entry level exam.

More information:

ISACA & CSA – CCAK

CCAK = CISA [ISACA] + CCSK [CSA]

CCAK (Certificate of Cloud Auditing Knowledge) is cohosted by ISACA and CSA.
And then you immediately know the approach is different than the approach of (ISC)².

ISACA (Previously known as the Information Systems Audit and Control Association®) stems from audit.
CSA focuses on cloud security.

That’s exactly what CCAK is about : cloud security audit.

See here:

As ISACA mentions on their product page: “The Industry’s First Global Cloud Auditing Credential”.

CISSP

For completeness, I mentioned the CISSP ( Certified Information Systems Security Professional).
I don’t think it needs a lot of explanation, it’s pretty much the reference standard for IT Systems security. (ISC)² references it as “The World’s Premier Cybersecurity Certification”.

It’s a pretty heavy exam, and it does require at least 5 years professional security experience. This is not an entry level exam.

More info: https://www.isc2.org/Certifications/CISSP

SSCP (Systems Security Certified Practitioner)

Due to the experience requirements, CISSP might be a tough credential to start with, although you can pass the exam, and continue to build your experience to grab the CISSP title…

If you want the plan your credentials the smart way, or you’re fresh in cyber-, information or IT-security, you better start with SSCP.

That the little brother of CISSP, and it’s an excellent way to step up to CISSP. More info: https://www.isc2.org/Certifications/SSCP

Where to start?

Cybersecurity & Information security essentials

As explained earlier, for tech skills in cyber-, IT and information security: look into SSCP first.

(Then step up to CISSP.)

Cloud security essentials: CCSK

Now it’s obvious what your first step in cloud security education should be: CCSK.

The CCSK is the perfect introduction to cloud security essentials.

Although it’s very helpful to have some technical IT basic knowledge, the CCSK is very accessible for general audience.

To prepare for the CCSK, you can follow classes or self-study via a completely free preparation toolkit.

Source: CSA CCSK v4 exam (https://cloudsecurityalliance.org/artifacts/ccskv4-exam-prep-kit/)

You can buy a double-try access ticket for the CCSK online exam (60 questions, 90 minutes), so if you would fail the first attempt, study again and retry the exam.

Then plan your track: only technical (no interest for audit) or audit, or both

Only technical

If you focus on technical expertise in cloud security, CCSP is a reference standard (at least, on of them…) .

As mentioned: CCSP = CISSP + CCSK.

So the track is clear

  • After passing the CCSK exam,
  • Take the CISSP exam
  • then take the CCSP

This is the easier route if you already have 5yr+ experience. It’s not the cheapest route, as you pass the CISSP first, but it’s worth the effort. (you only need to pay 1 yearly fee at (ISC)², so after 1 certification, … no extra cost in yearly membership fee)
For junior, less experienced, security engineers, start with SSCP before jumping into CISSP, and then CCSP.

Audit

When you target IT security audits, you need to take a different route depending your background.
Having the CCSP/CISSP background is extremely useful to boost your career in audit.

But for the CCAK, the core audit baseline is CISA.

Keep in mind, similar to CISSP and CCSP, CISA has the same requirements regards professional experience, 5 years.

But if you’re a ISACA CISA, you can add CCSK to the track and land on the CCAK.

Both?

Then it’s obvious, first tech, then audit, meaning a smart combination of

  1. CCSK
  2. (SSCP > ) CISSP
  3. CCSP
  4. CISA (or alternative)
  5. CCAK

Alternative routes

ISO27001 Implementer & Auditor

And alternative route to the auditing experience is ISO27001 auditing, but you’ll need some implementation experience before you can audit.

CISM

Within the ISACA portfolio, the CISM (Certified Information Security Manager), covers the same areas as most ISO27001 (lead) implementer courses.

Which can be helpful to ramp up for the CISA audit part, to gain some hands-on in IT & Infosec governance.

Visualizing your cloud security education roadmap

Lots of blah for a simple choice?

Allow me to visualize the options…

The difference between “certification” and “certificate”, does it really matter?

In it’s blog post (ISC)² tries to put CCSP above CCAK by saying “CCSP is a certification; CCAK is a certificate.”

And they continue “A certification recognizes a candidate’s knowledge, skills, and abilities, typically framed by a job role, while a certificate’s scope is narrower and only documents training course completion. A certification often requires continuing professional education (CPE) to stay in front of trends, while a certificate’s body of knowledge does not evolve over time or require CPE credits to maintain.

And their explanation is at least flawed and cutting corners to benefit CCSP.

There are many explanations and interpretations of “certification”, depending the context.
But in essence, “certification” is a process and a certificate is a document (the result).

When you certify for “CCSP” at (ISC)², you need to comply with the CCSP condition and then get a document, your CCSP certificate.
Idem for CCAK, you need to comply with their conditions.

Both the certification process for CCSP as the process for the CCAK are used by other similar education providers.

Eg, PECB, ISACA, EC-COUNCIL, … and others require to pay a yearly fee, keep CPE/CPD (continous professional education or development). Some yearly fees are cheaper as others.

Like CSA, Microsoft and others ask for a 1 time exam fee, and then update the exam on longer term, not yearly, and do not require a yearly maintenance fee.

It’s a choice of the certificate owner, how the evaluation and exams are done.

Some of them comply to the ISO17024, and education standard. There are huge benefits to comply (like increased credibility, compatibility with other certifications, …). But it’s not mandatory.

(ISC)² uses an exam, with experience requirement and continuous education once you pass the exam, but you do not need to pass the exam again, unless it’s upgraded to a new build or major version.

But CSA does exactly the same, for example when CCSK was upgraded from v3 to v4, you needed to pass the exam again.

Not on a yearly basis, but the program is updated, the exam is updated… on a regular basis, without yearly fee.

It’s rather a (small) financial effort, not of significance for most companies paying the bill. (Although as an individual, the cost of certification can become a serious burden…)

And it’s certainly not relevant when choosing between CCSP and CCAK. CCAK is cheaper, as referenced in the (ISC)² comparison chart.

References

(ISC)²: CCSP Certification vs. CCAK Certificate: What Are the Distinctions?

Cloud Security Alliance (CSA)

CSA Certificate of Cloud Security Knowledge (CCSK)

CSA & ISACA CCAK

CCAK learning material

CCSK vs CCSP

Vocabulary (alphabetical)

CCAK: Certificate of Cloud Auditing Knowledge (https://cloudsecurityalliance.org/education/ccak/)

CCSK: Certificate of Cloud Security Knowledge (https://cloudsecurityalliance.org/education/ccsk/)

CCSP: Certified Cloud Security Professional (https://www.isc2.org/Certifications/CCSP)

CSA: Cloud Security Alliance (https://cloudsecurityalliance.org/)

(ISC)²:  International Information System Security Certification Consortium (https://www.isc2.org/)

Note-to-self: 2020 IDG Security priorities study

Source: https://f.hubspotusercontent40.net/hubfs/1624046/2020_Security%20Priorities%20Executive%20Summary_final.pdf

End 2020 IDG published a study on Security priorities, and it provides important guidelines to the priorities of securing yourself and your company

  1. Protection of confidential and sensitive data
  2. End-user awareness
  3. Corporate resilience
  4. Enhance access control
  5. Understand external threats
  6. Application security
  7. Plan for unexpected risks

This pretty much confirms that your customers, stakeholder’s and staff interest in protecting personal data is driving security from business perspective.

If you see the increase of cyberattacks and ransomware hitting the business, it’s pretty obvious that Business Continuity Management and Disaster recovery must be on top of your priority list.
You need to have a tested plan against successful cyberattacks and ransomware, to avoid extended business damage and massive (ransom) costs … afterwards.

To put a plan together, you need to understand who is your adversary and what the current state of cybersecurity is.
And this study is a simple but smart guide to define your priorities.

The better you prepare, the less it will cost.
But you’ll only be able to tell when it goes wrong.

Don’t get caught by surprise, be ready.

Note-to-self: Crowdstrike has published their 2021 Global Threat report

Crowdstrike has published their 2021 Global Threat report.

It’s always an interesting reference to see what the world in cybersecurity is about, certainly with the turbulent pandemic year.

They look at:

  • cybersecurity during COVID19
  • cybersecurity in health care
  • significant political, state based attacks
  • evolution of ransomware

And no one has to tell you, we’ve not seen the end yet.

Hang in, get ready, protect yourself for more bad stuff to come.

Keep patching your systems, all of them, all the time.

And by the way, don’t ay with your personal data for the download. Direct download is available at:

Note-to-self: #ZeroTrust #maturity model assessment by #Microsoft

Have you ever assessed the maturity of #cybersecurity implementation?

The #ZeroTrust #maturity model assessment by #Microsoft provides you with great insights, where to start or which part of your security needs improvement.

Easy to use, easy to understand, great results and great guidance.

You can find the assessment tool here:

https://www.microsoft.com/en-us/security/business/zero-trust/maturity-model-assessment-tool

And if you need more info, then bookmark this Zero Trust resources page: https://www.microsoft.com/security/blog/2021/05/24/resources-for-accelerating-your-zero-trust-journey

Note-to-self: public website/server certificate quick check.

Today my ESET Endpoint Security blocked my browser for what I know is (sorry, should be) a legitimate magazine website…

Using other browsers (Chrome, Firefox, Opera, Tor, …) on my machine, I had the same issue…

Microsoft Edge

ESET Endpoint Security is reporting

“Website certificate revoked

The certificate used by this server has been marked as untrustworthy and the connection is not safe

Try connecting again later or from a different internet connection.
Access to it has been blocked.

Tor

Using another pc or smartphone (not using ESET) … I was able to connect.

So what’s going on?

ESET protecting you…

Eset forums

When you look up the Eset message (“Website Certificate Revoked” eset), you’ll probably land on the ESET forums or knowledge base, … seems to be a pretty popular topic.
Like for example: https://forum.eset.com/topic/21531-eset-giving-website-certificate-revoked-message/

ESET knowledge base

https://support.eset.com/en/kb6258-website-certificate-is-revoked-is-displayed-when-visiting-legitimate-web-pages

ESET explains

“This warning is displayed when your ESET product detects that the security certificate for a website is revoked.

ESET cannot resolve the issue because only the owner of a domain can renew their security certificate. You cannot choose to continue to the site using the insecure certificate.”

How do you double check this information?

The ESET forums point to a very interesting and eays to use tool: SSLTest at SSLLabs.com

Open: https://www.ssllabs.com/ssltest/index.html

Then you can enter the URL of the website you want to visit or check…

Depending the status of the website (good…or bad), it will take a few seconds… to minutes… to scan the website and show the quality of the certificate.

In this case, it’s fairly clear why the website was blocked:

Just for your reference if you would check a website like: https://docs.microsoft.com, you’ll get A+ (that’s the other end of the scale..)

If you want to know more about the website rating, check the SSLLabs rating guide:

https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide

The grading results in a score from A (top), (B) good, (C) average .. to (F) big fail lowest score …

So, it’s a very handy and free tool to check your website for issues.

Why are these websites not blocked by other tools or browsers?

First of all, check if you have an anti-virus or antimalware tool that checks the URL.

Because other browsers, apps or URL filters will not always check for the CRL (the certificate revocation list, containing certificates that are no longer valid…).

Or the CRL is not updated or and old CRL is cached. The ESET KB article mentioned, explains how to clear the CRL cache on your system.

Other interesting tools

The website (or mail) certificate is just one of the security indicators …
If you want to check the reputation of your URL, domain, website, mail system, DNS, … there are some more interesting tools you should have at hand, like https://mxtoolbox.com/NetworkTools.aspx.

Quite a while ago I posted an article on web and mail reputation, there is some more interesting free tools you can use to check the domain reputation.

See here: (TechNet Wiki) Hotmail/Outlook.com Solving Mass Mailing Delivery Issues

Conclusion

This situation show how easy it is to land on a website using revoked or unverified certificates…

Make sure to use a decent anti-malware and anti-virus tool. It’s worth to spend a small bit of money to protect your systems.

And if you combine it with some free tools to check the health of (your) websites and systems… you can achieve a decent level of security without spending a lot of money.

Extended mapping of CIS Controls to ISO27001 security controls

Introduction

The CIS (Center for Information Security) Controls list is a very well known list of security measures to protect your environment against cyberattacks.
The Center for Information Security provides a handy XLS sheet for download to assist in your exercise.

Here is the link: https://www.cisecurity.org/controls/cis-controls-list/

Many companies use this controls list already, but also require to map their CIS security controls to ISO27001, for various reasons.

Implementing security controls with regards to the NIS directive, is one of them, eg when you’re implementing OT…

ISO27001 controls mapping

For that purpose the CIS provided a XLS mapping between the CIS controls and ISO27001.

You can download the sheet from the CIS website: https://learn.cisecurity.org/controls-sub-controls-mapping-to-ISO-v1.1.a

Security note for the security freaks, apparently the document is hosted on the pardot(dot)com Salesforce website, which might be blocked by Adlist domain blockers as it’s used for marketing campaigns, you might need to unblock it, or use Tor browser…)

Alternatively, it’s available from the CIS Workbench community at: https://workbench.cisecurity.org/files/2329 (registration might be needed to access the download)

FYI, the previous version (2019, v1) of the mapping had quite some gaps. Therefor I’ve submitted a suggestion for an updated CIS-ISO27001 mapping.
And after review, a new version (1.1) with updates has been published on the CIS workbench.

Direct download for version 1.1 available at: https://workbench.cisecurity.org/files/2329/download/3615

Still some gaps

You’ll notice that the update (1.1) version has still some gaps. And I’ll leave to the discretion of the CIS review work group to argument these gaps.


But I’m convinced you can map the CIS controls for 100% to ISO27001, in one way or another, meaning use ALL ISO27001 controls in certain extent (sometimes a subset, equally or a superset of it, combining controls.)

But the license for use of the CIS controls mapping does not allow redistribution of modified materials…

Disclaimer (the small print)

Here’s the License from the mapping file:

Their work (quote) “is licensed under a Creative Commons Attribution-Non Commercial-No Derivatives 4.0 International Public License (the link can be found at https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode

To further clarify the Creative Commons license related to the CIS ControlsTM content, you are authorized to copy and redistribute the content as a framework for use by you, within your organization and outside of your organization for non-commercial purposes only, provided that (i) appropriate credit is given to CIS, and (ii) a link to the license is provided. Additionally, if you remix, transform or build upon the CIS Controls, you may not distribute the modified materials. Users of the CIS Controls framework are also required to refer to (http://www.cisecurity.org/controls/) when referring to the CIS Controls in order to ensure that users are employing the most up-to-date guidance. Commercial use of the CIS Controls is subject to the prior approval of CIS® (Center for Internet Security, Inc.).”

So I CANNOT distribute the XLS as modified material (Why not?).

Extending the mapping

If you still want to build an extended version of the mapping on your own, you download the 1.1 version and add these items to the list:

CIS sectionCoverageISO27001 Control
2.2=A.12.5.1
2.5=A.8.1.1
2.8small subsetA.12.5.1
2.10small supersetA.9.4.1/A.8.2
3.1small subsetA.12.6.1
3.2small subsetA.12.6.1
3.4small subsetA.12.6.1
3.5small subsetA.12.6.1
3.6small subsetA.12.6.1
4.1small supersetA.8.1.1/A.9.2.3 
6.5small subsetA.12.4.1 
6.6small subsetA.12.4.1 
6.8small subsetA.12.4.1 
7.3small subsetA.12.2.1
7.5small supersetA.8./A.13.1.1
7.6small subsetA.13.1.1
8.3small subsetA12.2.1
9.5small subsetA.13.1.1
10.2small subsetA.12.3.1
10.5=A.12.3.1
11.1small subsetA.13.1.1
11.2small subsetA.13.1.1
11.6small subsetA.13.1.1
12.1small subsetA.13.1.1
12.5small subsetA.13.1.1
12.10small subsetA.13.1.1
13.2small subsetA.11.2.5
14.7small subsetA.8.2.3
16.2small subsetA.9.3.1
16.3small subsetA.9.3.1
16.9small subsetA.9.2.1
16.10small subsetA.9.2.1
16.12A.12.4.1
16.13A.12.4.1
17.1=Clause 7.2
18.3=A.12.5.1
18.4A.12.5.1
18.7A.14.2.9
18.10small subsetA.14.2.5 
18.11small subsetA.14.2.5 
19.3small subsetA16.1.1
19.6small subsetA16.1.2
19.7small subsetA16.1.1
19.8small subsetA16.1.4
20.1small subsetA18.2.3
20.2small subsetA18.2.3
20.3small subsetA18.2.3
20.4small subsetA18.2.3
20.5small subsetA18.2.3
20.6small subsetA18.2.3
20.7small subsetA18.2.3
20.8small subsetA18.2.3

Planning for ISO Certification using CIS Controls?

When you look at it from a different angle and you would like to build a plan to certify your ISO27001 implementation, we need to turn around the mapping, and look for the gaps in the ISO27001 security controls AND CLAUSES, when doing the CIS control mapping.


And then you’ll notice the explicit difference in approach between CIS controls and ISO27001 controls.
CIS controls are focusing on technical implementation to harden your cybersecurity, while ISO27001 is a management system that needs these controls, but requires a management layer to support these technical controls. CIS controls are lacking this management layer.
If you compare both systems in a table the story gets clear:

The “red” areas require extra work to make it ISO27001 compliant.

And as always, if you have suggestions of feedback to improve this article, let me know, I’ll fix it on the fly.

Free (ISC)² Exams flash cards all in one place (*)

(*) with respect for your privacy, no login, nor mail required for

CISSP

CSSLP

CCSP

SSCP

CAP

HCISSP

Sorry, (free) registration still required for:

CISSP-ISSAP:https://enroll.isc2.org/product?catalog=CISSP-ISSAP-FC

CISSP-ISSEP: https://enroll.isc2.org/product?catalog=CISSP-ISSEP-FC

CISSP-ISSMP:https://enroll.isc2.org/product?catalog=ISSMP-FC-2019

Note-to-self: MNM van KSZ (Minimale normen – Sociale Zekerheid)

Minimale Normen / Normes Minimales van de KSZ (Kruispuntbank van de Sociale Zekerheid) gebaseerd op de ISO27001/ISO27002

“De toepassing van de minimale normen informatieveiligheid en privacy is verplicht voor instellingen van sociale zekerheid overeenkomstig artikel 2, eerste lid, 2° van de wet van 15 januari 1990 houdende oprichting en organisatie van een Kruispuntbank van de Sociale Zekerheid (KSZ). Bovendien moeten de minimale normen informatieveiligheid en privacy eveneens toegepast worden door alle organisaties die deel uitmaken van het netwerk van de sociale zekerheid overeenkomstig artikel 18 van deze wet. Tenslotte kan het sectoraal comité van de sociale zekerheid en van de gezondheid de naleving van de minimale normen informatieveiligheid en privacy ook opleggen aan andere instanties dan de hogervermelde.  ”

Bookmark:

(NL) https://www.ksz-bcss.fgov.be/nl/gegevensbescherming/informatieveiligheidsbeleid

(FR) https://www.ksz-bcss.fgov.be/fr/protection-des-donnees/politique-de-securite-de-linformation

(edit)

Opmerking: voor alle duidelijkheid, op zich zijn deze documenten geen nieuwigheid maar buiten de SZ zijn deze normen minder gekend… vandaar dat het toch nuttig is om ze bij te houden als geheugensteun en referentie. Je komt er sneller mee in contact als je denkt…

Note-to-self: logging policy considerations

Few days ago I got a question from a security officer for guidance on event and system logging.

What I can recommend: a good guideline and indication is this from OWASP.
You know OWASP is THE reference for software security …. with their OWASP top 10 etc.

Check this: https://owasp.org/www-project-cheat-sheets/cheatsheets/Logging_Cheat_Sheet

Another reference from NIST see below, very handy.

These are fairly complete in terms of guideline.

What you should pay special attention to from a policy point of view is

Special accounts

  •  Sensitive accounts
    • Highly priviliged accounts
    • Admin accounts
    • Service accounts
  • Sensitive systems
    • Domain controllers
    • Application servers
  • Sensitive data
    • HR data
    • Finance data
    • Legal data

Regarding the classification of accounts, check these:

For the users you also have to think carefully about events

  • Large volume of failed logons from sensitive users, may indicate
    • Attack
    • Denial of service
    • Hacking
  • Attack on the password database, large volumes of password change attempts …
    •  Smart password ‘testers’ will stay just below the blocking limit ..
  • Successful logons from special accounts at abnormal places or times
  • Changing the rights of sensitive accounts
    • Promotion of regular users to admins or other sensitive accounts in AD or central database

CLASSIFICATION

Make sure you have a data, user and system classification policy.
Define roles and / or categories.
Which objects are “not important”, “not sensitive”, sensitive, important, critical.
The protection must be tailored to the category type.

STORAGE

In addition, you should also write a policy on saving data.
This often poses a logistical problem with disk space.

If you know that sometimes attacks are only detected after 200-300 days, you should be able to do a forensic investigation in that period.
But that does not have to be on live data, if it is in backup, that is also good.

In terms of operational data you have to decide how much should be available immediately, for immediate consultation.
For example, that can be 1 month. (if the system can save so much)

BACKUP

Ensure that a backup can be guaranteed for a year (combination of full / differential and / or incremental backups or virtual snapshots …)
This is not a fixed period, but depending on risk management this may be more or less.

IMPORTANT: Time synchronization

Also make sure that you require NTP time synchronization, so that the clocks are exactly matched to each other on all systems.
Log analysis is impossible without correct timing.

SECURITY

Ensure that logs on source systems cannot be deleted by administrators.
Ensure that the logs following are shielded from system owners;
Ideally, you are obliged to store logs centrally (for example in a SIEM system).

Secure backups

Consider managed encryption of data and backups (not ransomware or malware).

Healthy logging and healthy backups

Make sure to test backups and restores!

Check the logs and backup for malware.

LOG CENTRALIZATION

Store logs centrally with sufficient storage capacity, security and backup.

LOG MANAGEMENT

A good management process and regular inspection must become mandatory.
Ensure monitoring for special events or special trends (sudden growth or sudden decrease or disappearance of logs)

Arrange forensic surveillance / detention if a burglary or data breach may need to be reported to the government / DPA / police.

The NIST documentation below provides useful hints and tips about the type of systems, routers, switches, firewalls, servers …

LEGISLATION

Take into account legislation such as GDPR or ePrivacy or others that impose your obligations (legal, judicial, international, fed gov, …)

EXPERIENCE

View and learn from past incidents and known use cases or accidents, which give a clear hint of what protect first.

PDCA – plan-do-check-act

Require a regular review of the policy and the rules, ensure that the guidelines are updated to the requirements and changing situations.

It is difficult if you find out after the facts that your log is not working properly.

Other references

And this is also a reference (NIST)