Within the immense framework that is GDPR, there is one clause that invokes a topic in the security community that is particularly interesting, though not very much fun: audit logging. When you read Article 30 that covers “Records of Processing” you see that data processors and controllers need to be able to show how and when data was processed and be able to prove it. Typically this comes in the form of some type of application or security log that provides an audit trail of the actions taken against data from the time of its creation to its erasure.
The GDPR requirements prompting the critical need for audit logging has had a broad impact on the future security posture of organisations. A brief read through the various articles of GDPR, and one can quickly see that audit logging can have a major impact on an organisation’s data protection implementation (Article 25), the presence and effectiveness of security controls (Article 32), breach notification and communication (Articles 33 and 34), erasure (Article 17), and the visibility of the overall data attack surface.
Article 25 (Data Protection by Design and Default) – A data protection implementation must have the ability to prove manageability and traceability of actions taken against data in the processing environment. These audit logs must track the actions of end users as well as privileged or administrative users.
Article 32 (Security of Processing) –To prove that security controls exist within the data processing environment, audit logs can provide documentation that those controls are in place and functioning properly.
Article 33 (Data Breach Notification) – Organisations need to be able to capture security events in the form of audit logs to be able to confirm if a breach has taken place, and if so, how to measure the impact of that breach and determine what needs to be reported to the DPA and, ultimately, the affected data subjects.
Article 17 (Right to Erasure) – When a data subject requests that their information be purged, the same type of visibility that detects a data breach can also be used to validate that this has been done and communicate this to the requestor.
With the GDPR compliance timeline fast approaching, audit logs give organisations critical insight into the security controls that protect their overall data attack surface as well as information processing activities. Both of these are mandatory in order to comply with GDPR and be able to demonstrate the proper handling of personal data from creation to deletion.
By Andrew Nielsen, CISSP, CISA, ISSAP, ISSMP, CCSK, Chief Trust Officer, Druva