This CCSS Level 2 requirement will impact the amount of storage required to retain logs for a reasonable amount of time to provide relevant data for auditing, incident response and forensic activities.
Depending on the number of devices and systems that are in-scope, the number of log event records generated by BAU activities will be significant and may contain events that provide no real value for auditing, incident response and forensic activities. For example, a service account with no administrative privileges and read-only access to a non-critical report which is used hourly by service desk personnel may not be considered critical to auditing, incident response and forensic activities. In future we hope that the CCSS Committee provides more detailed guidance as to what the standard deems as events to be captured for auditing, incident response and forensic activities. This will assist in reducing the amount of storage required for log retention by the assessed entity.
Requirement: 2.04.2.1 In addition to recording all actions performed within the system, this audit information is periodically backed up to a separate server.
The CCSS Glossary defines “periodically” as “As determined to be sufficient by the auditor”. To assist the CCSSA in the determination of the period we suggest that the assessed entity defines their own schedule to backup log event records to a centralized log management solution based of the assessment of risk that log event records could be corrupted or altered at the point of data origin.
Backing up log event records to a separate server decreases the risk of a malicious actor altering log event records in order to remove traces of activities undertaken. The CCSSA should review the security controls implemented to protect log event records not only at the point of origin but also the log management solution providing a centralized storage of log event records.
The processes that manage the copying of log event records from source of origin to the centralized log management server should be reviewed so the CCSSA can identify any risks associated with the protection of log data at-rest and in transit. For example, if the log event records from source of origin are not copied instantly upon creation to the centralized log management server then the protection of the log event records at the source of origin is especially important as the delay provides opportunity for the malicious actor to alter existing log event records before they are copied to the centralized log management server.