So first, I'd question whether the "policy mandate" is realistic. If that's one of those "non-negotiable" types...
of policies, then the best bet is to work on configuring the organization's applications, servers and networks to prevent these kinds of issues. At first, it will be necessary to comb through the logs to figure out how and when sensitive data is captured, and then either fix the offending server, or stop pulling those log files. That sounds like a pretty simple answer, but I'm not a fan of making things more complicated than they need to be. I don't believe that tearing through log files ad infinitum is the right answer.
The last suggestion I'd make is to roll the logs frequently. Combing through log files is manual, non-leverageable and not the best use of time. If logs are only kept for a certain period of time, then the possibility of a violation actually happening -- meaning you get caught -- is relatively small. Of course, the window has to be long enough so in the event of an incident there's enough data to appropriately contain and remediate the issue.
For more information:
Related Q&A from Mike Rothman, Contributor
In the world of security certifications, what is the GISP and how alike is it to the CISSP? In this security management expert response, learn about ...continue reading
Depending on your enterprise, it may or may not be necessary to utilize a QSA. In this security management expert response, learn how to determine ...continue reading
When developing software securely, what role does gap analysis play? In this security management expert response, learn how to implement gap analysis...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.