YALE-MSS-13.1.3: Ensure adequate space to log data. Logs should be kept for a minimum of 90 days.

Standard:
YALE-MSS-13.1: Ensure logging contains information required for incident response

YALE-MSS-13.1.3: Ensure adequate space to log data. Logs should be kept for a minimum of 90 days.

Low Risk Endpoint Not Required Moderate Risk Endpoint Not Required High Risk Endpoint Not Required Low Risk Server Required Moderate Risk Server Required High Risk Server Required Low Risk Mobile Device Not Required Moderate Risk Mobile Device Not Required High Risk Mobile Device Not Required Low Risk Network Printer Not Required Moderate Risk Network Printer Not Required High Risk Network Printer Not Required

Details

Often times, incidents are not immediately detected. Detection can lag by hours or days. The availability of sufficient logs to adequately investigate the incident allows for Yale to properly assess what happened so we are not forced to assume what actually happened.

Logs are essential for proper scoping investigation of an incident.

Measure your log volume and be able to accommodate it.

Do you know where your logs are going to be stored?
Have you done capacity sizing and planning at a storage location?

Is there any monitoring in place to let you know if you are running out of space?

Have you checked after 60 days to see if there are automatic log rotation or pruning of the logs?

Do you have the number of logs you were expecting? Too many? Too little?