Which security protocol have most community banks failed to implement, despite several years of FDIC recommendations in audit reports? Event Log Monitoring!
Event log monitoring is an important security management practice, but adherence to this practice is largely unmet by many local and regional banks. Many FDIC auditors recommendations include a daily review of all security events and retention of event logs for 12 months with reporting capabilities, in case needed for forensic review at a later date.
As a security risk consultant, I advise clients—especially those subject to regulatory compliance—to consider an enhanced security management system that incorporates log monitoring. In fact, vulnerability management, including event log management, was one of the 7 signs your Security Risk Management may be inadequate I have also written a blog post about.
One of the key benefits of an event log monitoring and management system is that it helps identify and respond to security incidents much more quickly. In most cases, organizations are not aware of data breaches for weeks or even months. In these cases, a forensic audit requires a thorough review of event log history with reporting capabilities.
PCI to endorse event log monitoring
In 2015 the Payment Card Industry (PCI) recommend similar event log monitoring and management for businesses handling credit card payments. In a report on the Information Security Media Group’s Bank Info Security blog, PCI Security Standards Council CTO Troy Leach discusses the electronic security organization’s decision to issue the recommendation. “Log monitoring is one of the most underused business tools available today,” Leach said. “This is an opportunity for us to give practical advice about what you should be looking for and how you can adequately monitor all of these logs.”
What else should I know about event logs and risk management?
Actively monitoring and managing a financial institution’s event logs is an essential security practice and should be incorporated as part of a formal vulnerability management process. Financial institutions need to facilitate timely identification of attempted intrusions as well as remediation of new critical vulnerabilities in order to reduce risk management costs.
Effective risk management requires more than periodic vulnerability reviews, however. I advise clients to conduct an annual security risk assessment, which involves a more comprehensive review of risk factors and probability of occurrence, as well as a Gap Analysis of existing IT security controls as required by GLBA guidelines. This should also provide the basis for the development of an annual Security Risk Management plan.