S 2.110 Data privacy guidelines for logging procedures

Initiation responsibility: Head of IT Section, data privacy officer

Implementation responsibility: Administrators, data privacy officer

In terms of data security, logging as part of IT-systems operation constitutes the manual or automatic generation of records which make it possible to determine "who accessed or performed what, when, using which resources." These records should also indicate system states, i.e. "who had which access rights for which period of time."

The nature and scope of logging depends on general data privacy laws as well as locally applicable guidelines.

The logging of administrative activities is equivalent to system monitoring, while the logging of user activities serves essentially as process monitoring. Accordingly, requirements concerning the nature and scope of system-oriented logging originate primarily from general data privacy laws, while process-oriented logging is defined mainly by locally applicable guidelines. Examples of process-oriented logging guidelines are registration laws, police laws and constitutional laws.

Minimum requirements for logging

The following activities must be logged fully during the administration of IT systems:

• System generation and modification of system parameters

As system-controlled logs are usually not generated on this level, detailed manual records corresponding to the system documentation are required here.

• Configuration of users

Complete records must be maintained as to which rights to use an IT system were granted by whom to which people for which periods of time. Long-term retention periods must be specified for these logs, as they form the basis for practically every method of review.

• Preparing rights profiles

One important logging task as part of user administration is to maintain a record of the people who issued instructions to configure individual user rights (also refer to S 2.31 Documentation on authorised users and on rights profiles).

• Installation and modification of application software

Logs in this context indicate the outcome of releasing programs and processes.

• Modifications to file organisation

In view of the numerous possibilities of manipulation during the use of standard file management systems, complete logging is of particular importance here (for example, as regards database management).

• Implementation of data backup measures

As such measures (backup, restore) are related to the copying and overwriting of data stocks, and are mainly required in exceptional cases, logging is of special importance in this context.

• Use of administration tools

The usage of all administration tools must be protocoled to help ascertain whether unauthorised people have subversively acquired system administration rights.

• Attempts at unauthorised login and transgressions of rights

Given effective authentication procedures and an appropriate allocation of rights, particular emphasis must be laid on maintaining a complete record of all "abnormalities" occurring during login and the use of hardware/software components. System administrators are also to be considered as users in this context.

During the processing of person related data, the following user activities must be logged selectively or fully in accordance with the sensitivity of the processes and information involved:

• Input of data

Input monitoring is always process-oriented (e.g. logging in files if these are used, direct logging in the data stock if no files are used). Even if transgressions of rights are assumed to be logged using a different technique, complete logging of data inputs should be considered as a standard procedure.

• Data transfer

Selective logging of data transfer can be considered sufficient only if complete logging is not legally specified.

• Use of automatic retrieval procedures

Complete logging of retrieval and the reasons underlying them (procedure, reference, etc.) is generally necessary to detect unauthorised handling outside the scope of the access rights granted.

• Deletion of data

The deletion of data must be logged.

• Invocation of programs

It might be necessary to log the invocation of especially sensitive programs which, for example, must only be used during certain periods or on certain occasions. Complete logging is recommended in such cases. This also makes it possible to exonerate authorised users (proof of exclusive right to invoke a program).

Appropriation of log data

In accordance with the almost fully identical data privacy regulations applicable on the federal and state levels, log data are largely immune to appropriation (e.g. § 14 Sec. 4 and § 31 BDSG, § 13 Abs. 5 HDSG). Such data must only be used for the purposes for which they were originally saved. These purposes usually consist of general monitoring tasks specified in a security concept, "checks for the proper usage of programs for processing person related data" stipulated by most data security laws (for example, refer to § 18 Sec. 2 BDSG, § 8 Abs. 3 LDSG-SH) and monitoring by internal or external data security officers. Only in exceptional cases do locally applicable regulations allow the appropriation of such data for other purposes such as criminal prosecution.

Storage period

Unless specified otherwise by locally applicable regulations, the storage period for logs is defined by the deletion guidelines forming part of generally applicable data privacy laws. The "fulfilment of responsibilities" is used as a yardstick here. If no compelling reasons exist for the further retention of log data, these must be deleted by law (for example, refer to § 20 Sec. 2 BDSG).

The following factors serve as orientation here:

• The probability that irregularities might still be detected

• The possibility of ascertaining the reasons for such irregularities using the logs and other documents

Empirical results have shown that a retention period of one year is sufficient here.

Shorter retention periods should be considered for logs which are prepared for the purpose of selective checks. Storage up to the point of actual checking is usually adequate. Here, too, locally applicable regulations must be observed.

Basic technical and organisational requirements

The effectiveness of logging and its evaluation as part of monitoring depends decisively on technical and organisational conditions. In this context, the following aspects should be considered:

• A review concept should be prepared for the purpose of clearly defining the purpose of the logs and their monitoring functions, as well as security mechanisms for the rights of users and other people involved.

• Measures must be taken to ensure the inevitability and completeness of the logging functions, and to safeguard entries in the log files against manipulation.

• In accordance with the degree of appropriation applicable to the data stock, effective access restrictions must be implemented.

• The logs must be designed to allow effective checking. This also includes IT-supported evaluations.

• Possibilities of evaluation should be ascertained and stipulated at the start.

• Checks must be performed sufficiently often to prevent damage and allow the initiation of appropriate measures following the discovery of violations. Timely checks must be carried out before the expiry of retention periods for log files.

• Checks must be performed in accordance with the two person rule.

• Responses to violations detected through the monitoring of logs should be defined at the start.

• Employees should be made aware of the fact that checks are performed routinely and, if necessary, without prior notice.

• Automatic procedures (e.g. watch dogs) should be used for routine checks.

• The staff and works councils should be involved in the preparation of the review concept and the stipulation of log evaluation techniques