Record Retention As the term implies, record retention involves retaining and maintaining important informa- tion. An organization should have a policy that defines what information is maintained and for how long. As it applies to the security infrastructure, in most cases, the records in question are audit trails of user activity, which may include file and resource access, logon patterns, e-mail, and the use of privileges. Retention Time Frames Depending upon your industry and your relationship with the government, you may need to retain records for three years, seven years, or indefinitely. In most cases, a separate backup mechanism is used to create archived copies of sensitive audit trails and accountability infor- mation. This allows for the main data backup system to periodically reuse its media without violating the requirement to retain audit trails and the like. If data about individuals is being retained by your organization, the employees and custom- ers need to be made aware of it such as in a conditional employment agreement or a use agree- ment. In many cases, the notification requirement is a legal issue, whereas in others it is a simply a courtesy. In either case, it is a good idea to discuss the issue with a lawyer. Media, Destruction, and Security The media used to store or retain audit trails must be properly maintained. This includes taking secure measures for the marking, handling, storage, and destruction of media. For details on handling sensitive media, please see the section titled “Sensitive Information and Media” in Chapter 13, “Administrative Management.” Retained records should be protected against unauthorized and untimely destruction, against alteration, and against hindrances to availability. Many of the same security controls used to protect online resources and assets can be imposed to protect audit logs, audit trails, audit reports, and backup media containing audit information. Access to audit information should be strictly controlled. Audit information can be used in inference attacks to discover information about higher classifications of data, thus the audit logs containing records about highly confidential assets should be handled in the same secure man- ner as the actual assets. Another way of stating this is that when an audit log is created, you are creating another asset entity with the same security needs as the original audited asset. As the value of assets and the audit data goes up and risk increases, so does the need for an increase in security and frequency of backups for the audit information. Audit data should be treated with the same security precautions as all other high-classification data within an IT envi- ronment. It should be protected by physical and logical security controls, it should be audited, it should be regularly backed up, and the backup media should be stored off site in a controlled facility. The backup media hosting audit data should be protected from loss, destruction, alter- ation, and unauthorized physical and logical access. The integrity of audit data must be main- tained and protected at all times. If audit data is not accurate, it is useless. External Auditors It is often necessary to test or verify the security mechanisms deployed in an environment. The test process is designed to ensure that the requirements dictated by the security policy are fol- lowed and that no significant holes or weaknesses exist in the deployed security solution. Many organizations conduct independent audits by hiring outside or external security auditors to check the security of their environment. External audits provide a level of objectivity that an internal audit cannot. An external auditor is given access to the company’s security policy and the authorization to inspect every aspect of the IT and physical environment. Thus the auditor must be a trusted entity. The goal of the audit activity is to obtain a final report that details any findings and sug- gests countermeasures when appropriate. However, an audit of this type can take a consider- able amount of time to complete—weeks or months, in fact. During the course of the audit, the auditor may issue interim reports. An interim report is a written or verbal report given to the organization about a discovered security weakness that needs immediate attention. Interim reports are issued whenever a problem or issue is too severe to wait until the final audit report is issued. Once the auditor completes their investigations, an exit conference is held. During the exit conference, the auditor presents and discusses their findings and discusses resolution issues with the affected parties. However, only after the exit conference is over and the auditor has left the premises does the auditor write and submit the final audit report to the organization. This allows the final audit report to be as unaffected as possible by office politics and coer- cion. After the final audit report is received, the internal auditors should verify whether or not the recommendations in the report are carried out. However, it is the responsibility of senior management to select which recommendations to follow and to delegate the implementation to the security team. Monitoring Monitoring is a form of auditing that focuses on the active review of the audited information or the audited asset. For example, you would audit the activity of failed logons, but you would monitor CPU performance. Monitoring is most often used in conjunction with performance, but it can be used in a security context as well. Monitoring can focus on events, subsystems, users, hardware, software, or any other object within the IT environment. A common implementation of monitoring is known as illegal software monitoring. This type of monitoring is used to watch for attempted or successful installation of unapproved software, use of unauthorized software, or unauthorized use of approved software i.e., attempts to bypass the restrictions of the security classification hierarchy. Monitoring in this fashion reduces the likelihood of a virus or Trojan horse being installed or of software circumventing the security controls imposed.