
	Home > Ask the Security Experts > Expert Archive: Security Management Questions & Answers > How to prevent audit-logging system from storing passwords?

Ask The Security Expert: Questions & Answers

EMAIL THIS

How to prevent audit-logging system from storing passwords?

EXPERT RESPONSE FROM: Mike Rothman, past SearchSecurity.com expert

		Pose a Question

		Other Security Categories

		Meet all Security Experts
		Become an Expert for this site

Digg This!

StumbleUpon

Del.icio.us

QUESTION POSED ON: 07 June 2007
By policy mandates, my agency does not want our audit-logging system to store passwords or email message bodies. My fear is if a server isn't configured properly, it could do just that. Do you recommend combing through the active log file and removing any entries that violate policy, or should we simply accept that these violations will occur?

BROWSE BY TAG

Expert Archive: Security Management, Security Audit, Compliance and Standards, Data Privacy and Protection, Information Security Policies, Procedures and Guidelines, Information Security Management, VIEW ALL TAGS

Digg This!

StumbleUpon

Del.icio.us

RELATED CONTENT

	Expert Archive: Security Management
	What is the GISP certification and how does it compare to the CISSP certification?
	Using a QSA to write up a PCI DSS report on compliance (ROC)
	How can gap analysis be applied to the security SDLC?
	Comparing low-cost security appliances to bigger, pricier appliances
	What are some tips on protecting my security budget in a poor economy?
	What value do research firms provide to their subscribing enterprises?
	What certificate offers the best ROI for an IT project manager?
	Is insider activity or outsider activity a bigger enterprise threat?
	How does information security prevent fraud in the enterprise?
	Differences between an SAS 70 data center and a Tier III data center

Data Privacy and Protection

How to write a risk methodology that blends business, security needs

PCI compliance requirement 3: Protect data

Mass. Senate seeks to amend, weaken data breach notification law

Bruce Schneier and Marcus Ranum Face-Off: Should We Have an Expectation of Online Privacy?

Kodak CISO on virtualization, compliance

Federal efforts to secure cyberinfrastrucure

Attackers cash in on fundamental data handling mistakes, Verizon finds

RSA panel to discuss surveillance, privacy concerns

Mass. officials explain new data protection regulations

HIPAA changes force healthcare to improve data flow

Data Privacy and Protection Research

Information Security Policies, Procedures and Guidelines

Twitter risks, Facebook threats trouble security pros

Cybersecurity czar candidate questions clout of new position

Incident response planning

The basics of enterprise GRC project management

RSA council addresses growing security risks in the cloud

How to write a risk methodology that blends business, security needs

Risk management must include physical-logical security convergence

DHS fills National Cybersecurity Center post

New partnerships, creative thinking help security bust recession

Experts optimistic of Obama cybersecurity plan

RELATED GLOSSARY TERMS

Terms from Whatis.com − the technology online dictionary

cypherpunk (SearchSecurity.com)

Data Encryption Standard (SearchSecurity.com)

P3P (SearchSecurity.com)

RELATED RESOURCES

2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems

Search Bitpipe.com for the latest white papers and business webcasts

Whatis.com, the online computer dictionary

The answer to this question is both. The reality is some personal information and email will be logged. Whether it's a server configuration error, a user mistake or a design "feature." If an agency is going to aggressively log network and system activity, this kind of thing is going to happen.

So first, I'd question whether the "policy mandate" is realistic. If that's one of those "non-negotiable" types of policies, then the best bet is to work on configuring the organization's applications, servers and networks to prevent these kinds of issues. At first, it will be necessary to comb through the logs to figure out how and when sensitive data is captured, and then either fix the offending server, or stop pulling those log files. That sounds like a pretty simple answer, but I'm not a fan of making things more complicated than they need to be. I don't believe that tearing through log files ad infinitum is the right answer.

The last suggestion I'd make is to roll the logs frequently. Combing through log files is manual, non-leverageable and not the best use of time. If logs are only kept for a certain period of time, then the possibility of a violation actually happening -- meaning you get caught -- is relatively small. Of course, the window has to be long enough so in the event of an incident there's enough data to appropriately contain and remediate the issue.

For more information:

In this SearchSecurity.com Q&A, security expert Joel Dubin discusses the problems associated with storing void user IDs in an audit history.

Learn how to build a corporate culture of policy compliance.

Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.

Browse our Expert Advice
Operating Systems IT Management Networking Database	Security Servers and Storage Applications and Development Career Center

Find Security Solutions for Your Business
Targeted Security Channel Tips for Resellers, Integrators and Consultants

View this month\\'s issue and subscribe today.

Apply online for free conference admission.

SEARCH :

Site Index

TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.


TechTarget Corporate Web Site \| Media Kits \| Site Map All Rights Reserved, Copyright 2003 - 2009, TechTarget \| Read our Privacy Policy