How to design audit log policy
Enabling audit log is an issue -as we discussed before. But leave it to management how to decide this feature, because whatever the decision we still need to making audit log policy to ensure the activities become effective.
Here is some topics that should be put clear in audit log policy
1. Event logging
What kind of activity that should be logged. All administrator activities or only sensitive activity for several users. Other approach such as based on hour log -the audit log will be enabled only in working hours. Auditor should clearly state which event that should be logged.
2. Log recording and archiving
Archiving log to write once disk, archiving to tape storage or just put in hard disk is also a must stated in log policy. How long any security breaches will be archived.
3. Log review and access
Log review included unauthorized attempts and others anomalies in log result. The policy should also state both human and automated tools used to analyze log result.
4. Log retention
How log the audit log will be stored, and after how long it could be deleted.
Do you any other approach in designing audit log policy?