S 5.9 Logging at the Server

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Administrator

The logging possible on the network server should be activated to a sensible degree. The Network Administrator must review the network server log files at regular intervals. All security-relevant events should be logged. In this context, the following occurrences are of particular interest:

• entry of an incorrect password for a user ID through to blocking of the user ID when the maximum permitted number of unsuccessful attempts has been reached,

• attempts to gain unauthorised access,

• power failure,

• data on network utilisation and network overload.

How many other events are logged will depend to a certain extent on the protection requirements of the IT systems concerned. The greater the protection requirement, the more information should be logged.

As log files can become very long over time, the intervals at which they are evaluated should kept short. To enable appropriate analysis of the data, every protocol entry should include the user ID or process number, terminal device ID, date and time.

Additional controls:

• Who analyses the log files and at what intervals?

• Are the evaluations documented?