Logging and Monitoring (A. 12 Operations security) Logging of all access to personal data must take place. The access log must include the date and time of access, the UserID and the type of access (read, edit, delete, on sensitive data also view and search off data etc.). Security logging must be enabled on all network equipment, servers and on all applications including databases and on IT system administrators – log files are to be timestamped and adequately protected against tampering and unauthorised access. Clocks should be synchro- nised to a single time source. Logs must be monitored – e.g. by setting up rules for alarms if logs show abnormalities that the data processor should react to. A centralised system for collecting and reviewing security logs must as such be in place. Logs of access to personal data and the use of personal data must be monitored and available for review in order to detect unauthorised access to personal data. It must be documented when and how often log files are reviewed and who has performed the control. Documentation must be available on request. Failed login attempts must be logged and kept for 6 months in order to detect unauthorised access to personal data.
