AAAI-11

Can you provide the institution documentation regarding the retention period for those logs, how logs are protected, and whether they are accessible to the customer (and if so, how)?

Explanation

This question is asking about your organization's practices regarding authentication, authorization, and account management logs. Specifically, it wants to know: 1. How long you keep these logs (retention period) 2. How you protect these logs from tampering or unauthorized access 3. Whether customers can access these logs, and if so, how they can do so Authentication logs record who logged in, when, and from where. Authorization logs track what users attempted to access and whether they were permitted. Account management logs record when accounts are created, modified, or deleted. This question is being asked in a security assessment because proper log management is crucial for security investigations, compliance, and accountability. If there's a security incident, these logs help determine what happened, who was involved, and how to prevent similar incidents. Inadequate log retention or protection could mean you lack the ability to investigate breaches or demonstrate compliance with regulations. To best answer this question: - Be specific about retention periods (e.g., "12 months" rather than "as required") - Explain the technical and procedural controls that protect logs - Clearly state whether customers can access logs and the exact mechanism for doing so - If logs aren't available to customers, explain why and what alternatives exist - Reference any relevant compliance standards you follow for log management

Guidance

Ensure that all elements of AAAI-11 are clearly stated in your response.

Example Responses

Example Response 1

Our authentication, authorization, and account management logs are retained for 24 months in accordance with our security policy and regulatory requirements Logs are protected through multiple mechanisms: they are stored in a write-once-read-many (WORM) format to prevent tampering, encrypted at rest using AES-256, and access to logs is strictly limited to authorized security personnel through role-based access controls with multi-factor authentication All access to logs is itself logged and reviewed Customers can access relevant logs pertaining to their account activities through our secure customer portal The portal provides filtered views of authentication events, access attempts, and account changes related to the customer's users For security investigations, customers can also request more comprehensive logs through their account manager, which will be provided within 48 hours following our verification process.

Example Response 2

We maintain all authentication, authorization, and account management logs for a minimum of 13 months, with critical security events retained for 7 years Our log protection strategy includes segregated storage in a dedicated logging infrastructure, integrity verification through cryptographic hashing, and encryption both in transit and at rest Access to logs is restricted to our security operations team and requires both approval through our ticketing system and multi-factor authentication Customer access to logs is provided through our API, which allows customers to query and retrieve their own authentication and access logs using their API credentials The API includes filtering capabilities by date range, user, IP address, and event type Additionally, we provide a monthly log summary report automatically to customer administrators, highlighting key security events and anomalies.

Example Response 3

Our current log retention policy keeps authentication logs for 30 days and authorization logs for 60 days We do not currently have a formal protection mechanism specifically for these logs beyond our standard database backups and access controls While we recognize this is an area for improvement in our security program, we have limited resources and have prioritized other security controls Customers do not currently have direct access to these logs, but our support team can manually pull relevant log entries upon request during business hours We are planning to implement a more robust logging infrastructure in the next 6-12 months that will include longer retention periods, better protection mechanisms, and a self-service portal for customers to access their own logs In the meantime, we mitigate this limitation by having our security team perform regular log reviews to identify suspicious activities.

Context

Tab
Product
Category
Authentication, Authorization, and Account Management

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron