Log Management Policy

1. Purpose

The purpose of the Digital Iceland log management policy is to ensure proper logging practices are followed within our infrastructure, with a focus on minimizing logging and storage of personally identifiable information (PII), ensuring the availability and integrity of log data for audit and security purposes, and setting rationalized retention period for logs.

This policy shall be aligned with relevant data protection and legal requirements, such as privacy laws and laws for retention of public records. It shall also align with Digital Iceland’s Information Security Policy and Privacy Policy and ensure that sufficient data is available to investigate potential security breaches and incidents.

2. Scope

This policy applies to all logs generated within the Digital Iceland infrastructure and applications developed and operated for Digital Iceland. These logs can both include activities performed by end-users (citizens), administrators and developers as well as automated system functions. Various types of logs are covered by this policy:

• Application Logs created by user interaction with the system (e.g. error messages, execution flows, user activities)

• System Logs generated by various parts of the infrastructure (e.g. process execution logs and system-level events)

• Access Logs (e.g. API activity, CloudTrail logs)

• Security Logs (e.g. firewalls, IDS, security-related events)

• Network Logs (e.g. network traffic logs, incoming/outgoing requests, latency)

• Audit Logs (e.g. user actions, changes in infrastructure configuration, user permissions and administrative actions)

• Database Logs (e.g. DB activities, query performance, DB connections and errors)

3. Processing of Personally Identifiable Information (PII)

PII is defined as all data that can be directly or (easily) indirectly linked to a natural person, such as names, national ID numbers (kennitala), addresses, phone number, usernames and email addresses.

1. Minimize the use of PII in all logs as possible:

   • PII should never be logged in application logs and only in audit logs when a clear business need is approved by Digital Iceland management. This should minimize the amount of PII present in logs.

   • If some PII data must be logged, and approved by Digital Iceland, the logging should use a structured approach that clearly identifies the type of data being recorded to allow for easier detectability and processing.

   • When PII is logged and is no longer needed for that specific purpose the data shall be anonymized by removing all PII elements from the records.

   • When displaying logs to others that do not have the specific need for PII that data shall be redacted/masked.

2. Data Storage and transfer:

   • Logs must be stored separately from the operational environment, with protections in place to prevent any modifications by system operators or unauthorized actors.

   • All logs must be encrypted in transfer/view and at rest using industry best practices.

   • Controls must be in place to ensure the integrity and immutability of the logs through the entire life cycle of the logs.

3. Access Control:

   • Only authorized personnel should have access to logs. Strict role-based access controls (RBAC) should be implemented to limit who can view or query logs.

   • Requests for log queries that contain PII data shall be approved by Digital Iceland’s CTO and Cybersecurity Officer.

   • Logs containing potentially sensitive PII should be accessible only by security and compliance teams, i.e. Digital Iceland CTO and Cybersecurity Officer (see further: https://www.althingi.is/lagas/nuna/2018090.html).

4. Log Retention Policy

1. Retention Period:

   • Logs should be retained only for the minimum time required for operational, security, and compliance needs.

   • Default retention periods:

     • Security and Audit Logs: Retain for 84 months (7 years) for compliance with security auditing and investigation.

     • Application and System Logs generated by end-user activity: Retain for 90 days.

     • Network and Database Logs: Retain for 6 months unless otherwise required by specific regulations or operational needs.

2. Automatic Log Deletion:

   • Configure automated log deletion to ensure logs exceeding their retention period are purged from storage systems.

   • Use lifecycle management policies (e.g., S3 lifecycle rules) to automatically delete or archive old logs.

5. Security of Log Storage

1. Secure Log Storage:

   • Logs must be stored in secured, access-controlled systems (e.g., AWS CloudWatch Logs, Azure Monitor) with encryption at rest.

   • Access to Logs must be logged and made available for review and investigations as needed.

   • Permanent deletion or overwrite of logs shall be logged.

2. Backup and Disaster Recovery:

   • Logs essential for incident response and disaster recovery must be securely backed up, subject to the same retention and access policies as the primary location.

6. Monitoring and Audit of Logs

1. Continuous Monitoring:

   • Implement monitoring of logging infrastructure to detect any breaches, unauthorized access, or attempts to log sensitive data.

   • Log integrity monitoring should be in place to ensure logs are not tampered with.

2. Regular Audits:

   • Annual audits will be performed to ensure compliance with the log management policy, particularly in relation to PII handling and retention.

3. Anomalous Logging Detection:

   • Automated tools should be used to detect abnormal logging and storage behavior, such as logging large amounts of sensitive data or excessive retention.

7. Compliance with Regulations

1. GDPR Compliance:

   • Log management practices should comply with privacy law and requirements (GDPR).

   • Log management practices shall comply with Digital Iceland’s Privacy Policy.

2. Incident Response:

   • In case of accidental logging of PII, the scope and reach of the data collection shall be investigated. Digital Iceland management shall based on that analysis decide if the people in question should be notified and as needed formally report the incident to the Data Protection Authority. Based on management decision data can be purged. See Digital Iceland’s privacy policy for reporting and handling of incidents involving PII.

8. Review and Amendments

1. Policy Review:

   • This policy is reviewed whenever needed or there are significant changes to logging requirements, cloud architecture, or regulatory standards.

   • Any amendments to the policy will be communicated to all relevant stakeholders.