9.1

Types of event recorded.-(I) The Certifying Authority shall maintain record of all events relating to the security of his system. The records should be maintained in audit log file and shall include such events as:

(i) System start-up and shutdown;

(ii) Certifying Authority's application start-up and shutdown;

(iii) Attempts to create,remove, set passwords or change the system privileges of the PKI Master Officer, PKI Officer, or PKI Administrator;

(iv) Changes to keys of the Certifying Authority or any of his other details;

(v) Changes to Digital Signature Certificate creation policies, e.g. validity period;

(vi) Login and logoff attempts;

(vii) Unauthorised attempts at network access to the Certifying Authority's system;

(viii) Unauthorised attempts to access system files;

(ix) Generation of own keys;

(x) Creation and revocation of Digital Signature Certificates;

(xi) Attempts to initialize, remove, enable, and disable subscribers, and update and recover their keys;

(xii) Failed read-and-write operations on the Digital Signature Certificate and Certificate Revocation List (CRL) directory.

(2)

Monitoring and Audit Logs

(i) A Certifying Authority should consider the use of automated security management and monitoring tools providing an integrated view of the security situation at any point in time. Records of the following application transactions shall be maintained:

(a) Registration;

(b) Certification;

(c) Publication;

(d) Suspension; and

(e) Revocation.

(ii) Records and log files shall be reviewed regularly for the following activities:-

(a) Misuse;

(b) Errors;

(c) Security violations;

(d) Execution of privileged functions;

(e) Change in access control lists;

(f) Change in system configuration.

(3)

All logs, whether maintained through electronic or manual means, should contain the date and time of the event, and the identity of the subscriber/subordinate/entity which caused the event.

(4)

A Certifying Authority should also collect and consolidate, either electronically or manually, security information which may not be generated by his system, such as:

(i) Physical access logs;

(ii) System configuration changes and maintenance;

(iii) Personnel changes;

(iv) Discrepancy and compromise reports;

(v) Records of the destruction of media containing key material, activation data, or personal subscriber information.

(5)

To facilitate decision-making, all agreements and correspondence relating to services provided by Certifying Authority should be collected and consolidated, either electronically or manually, at a single location.

9.2

Frequency of Audit Log Monitoring.-The Certifying Authority must ensure that its audit logs are reviewed by its personnel at least once every two weeks and all significant events are detailed in an audit log summary. Such reviews should involve verifying that the log has not been tampered with, and then briefly inspecting all log entries, with a more thorough investigation of any alerts or irregularities in the logs. Action taken following these reviews must be documented.

9.3

Retention Period for Audit Log.-The Certifying Authority must retain its audit logs on site for at least twelve months and subsequently retain them in the manner described in Para 10 of the Information Technology Security Guidelines as given in Schedule II.

9.4

Protection of Audit Log.-The electronic audit log system must include mechanisms to protect the log files from unauthorized viewing, modification, and deletion.

Manual audit information must be protected from unauthorised viewing, modification and destruction.

9.5

Audit Log Backup Procedures.-Audit logs and audit summaries must be backed up or copied if in manual form.

9.6

Vulnerability Assessments.-Events in the audit process are logged, in part, to monitor system vulnerabilities. The Certifying Authority must ensure that a vulnerability assessment is performed, reviewed and revised, if necessary, following an examination of these monitored events.