Actually...I think we all entered the 4th dimension about 6 months ago.
"Christiansen,
John (SEA)" To: "WEDI SNIP Security Workgroup List"
<[EMAIL PROTECTED] <[EMAIL PROTECTED]>
gates.com> cc:
Subject: RE: Acceptable time-frames to
keep
07/23/2003 Audit logs
12:01 PM
Please respond
to
"Christiansen,
John (SEA)"
Thanks to all who pointed out that I erred when I said yesterday that the
regs don't refer to "audit logs." I broke one of my own cardinal rules,
which is to double-check the actual text of rules, regulations and
legislation before trying to pontificate about them. (Which just goes to
show how important it is to stick to the text when trying to figure out
what
these various regs mean!)
In reviewing that specification (164.308(a)(1)(ii)(D) together with the
documentation standard (164.316(b)), it seems to me you need to have
written
documentation of the procedures implemented for regular review of
information system activity, including audit logs. Since the logs
themselves
do not appear to be "policies, procedures, actions, activities or
assessments" required to be documented under the rule, I think I am still
comfortable saying these are not in themselves required to be retained for
six years. But I would tie in my written information system activity review
procedures to my written security incident procedures, since the audit logs
may constitute all or part of the basis for identification of a security
incident - it would probably be prudent to have a procedure in place to
maintain copies of logs which indicate a potential or proven security
incident as part of the security incident documentation.
Does anybody else feel like they're playing three-dimensional chess?
John R. Christiansen
Preston | Gates | Ellis LLP
*Direct: 206.370.8118
*Cell: 206.683.9125
Reader Advisory Notice: Internet email is inherently insecure. Message
content may be subject to alteration, and email addresses may incorrectly
identify the sender. If you wish to confirm the content of this message
and/or the identity of the sender please contact me at one of the phone
numbers given above. Secure messaging is available upon request and
recommended for confidential or other sensitive communications.
---
The WEDI SNIP listserv to which you are subscribed is not moderated. The
discussions on this listserv therefore represent the views of the
individual participants, and do not necessarily represent the views of the
WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official
opinion, post your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/. These listservs should not be used for
commercial marketing purposes or discussion of specific vendor products and
services. They also are not intended to be used as a forum for personal
disagreements or unprofessional communication at any time.
You are currently subscribed to wedi-security as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at
http://subscribe.wedi.org or send a blank email to
[EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same
as the address subscribed to the list, please use the Subscribe/Unsubscribe
form at http://subscribe.wedi.org
---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions
on this listserv therefore represent the views of the individual participants, and do
not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If
you wish to receive an official opinion, post your question to the WEDI SNIP Issues
Database at http://snip.wedi.org/tracking/. These listservs should not be used for
commercial marketing purposes or discussion of specific vendor products and services.
They also are not intended to be used as a forum for personal disagreements or
unprofessional communication at any time.
You are currently subscribed to wedi-security as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at
http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the
address subscribed to the list, please use the Subscribe/Unsubscribe form at
http://subscribe.wedi.org
