Log Management Policy

Log Management Policy

Digital Iceland Log Management Policy

1. Purpose

The purpose of this policy is to document proper logging practices and ensure they are followed in Digital Iceland’s infrastructure and applications. The goal is to ensure availability, retention, integrity and evidentiary value of log data for troubleshooting, audit and security purposes and setting appropriate retention periods, access restrictions and storage requirements for logs in order to be compliant with relevant data protection laws and other legal requirements.

2. Scope

This policy applies to all logs generated within the Digital Iceland infrastructure and applications developed and operated for Digital Iceland. This includes logs for activities performed by end-users, administrators and developers as well as automated system functions.

3. Definitions

Logs: Logs are time-stamped records generated by IT systems that capture events, transactions, errors, and state changes for security monitoring, troubleshooting, compliance, and operational analysis.

Application Logs: Logs created by user interaction with the application; or automated processes in the application e.g. error messages, execution flows, user activities primarily used for confirming or troubleshooting the correct function of the application and not for security or audit purposes.

Audit Logs: Tamper-resistant records of events that track who accessed what resources, when, and what actions were performed, used for compliance, accountability and security investigations.

Infrastructure Logs: Logs generated by the infrastructure that hosts the Digital Iceland services and applications.

Personally Identifiable Information (PII): Any data that can be used, alone or with other data, to identify, contact, or locate a specific individual, ranging from basic details like a National ID number (kennitala), name, phone number or address to highly sensitive data such as biometrics, health related- or financial info.

Hot Storage: Storage infrastructure for logs that is highly available in the sense that with appropriate permissions they can be searched and interacted with, with a reasonably quick response time. Usually considerably more expensive than cold storage.

Cold Storage: Storage infrastructure for logs that is not highly available, in the sense that additional action is required to make the logs searchable with a reasonably quick response time; such as re-ingesting into Hot Storage. Usually considerably more cost effective than hot storage.

Access-Controlled Systems: A system that authenticates users and enforces authorization rules to restrict who can access what resources and keeps an Audit Log of access and system interactions.

Encryption at rest: Encryption of data while stored on physical media (disks, databases, backups), including cloud storage, to protect against unauthorized access if storage devices are compromised or stolen.

TLS: Transport Layer Security. A cryptographic protocol securing internet communications, like browsing (HTTPS), email, and messaging, by encrypting data to ensure privacy, integrity, and authentication, preventing eavesdropping and tampering.

4. Roles and Responsibilities

Digital Iceland CTO (Tækni- og þróunarstjóri): In the scope of this policy; responsible, in place of the CISO if unavailable, to approve access to logs.

Digital Iceland CISO (UT og öryggisstjóri): In the scope of this policy; final authority on security- and compliance related to access decisions and responsible, with backup from the CTO, to approve access to logs.

Data Protection Authority (Persónuvernd): Compliance controller in the execution of this policy and data protection of Digital Iceland, as per regulation 90/2018: Lög um persónuvernd og vinnslu persónuupplýsinga.

Data Protection Officer (Persónuverndarfulltrúi): Point of contact for data protection matters as per Digital Iceland’s Privacy Policy.

National Archive of Iceland: Archival controller and archiving responsible for the execution of this policy and data storage of Digital Iceland records, as per regulation 77:2014: Lög um opinber skjalasöfn.

5. Compliance and regulations

Logs can inherently contain sensitive information and especially so for a platform like Digital Iceland that due its role must process Personally Identifiable Information. The platform, the infrastructure it is hosted on and all the application components that the platform is composed of, adheres to 90/2018: Lög um persónuvernd og vinnslu persónuupplýsinga and/or other applicable regulations at all times.

6. Storage and archive requirements

As Digital Iceland is under the Ministry of Finance and Economic Affairs it must, generally, preserve all information that constitutes official records related to the execution of its legal duties as per 77:2014: Lög um opinber skjalasöfn and be prepared to deliver said information to the National Archives of Iceland (Þjóðskjalasafn) for posterity.

As per aforementioned regulation, Digital Iceland is required to safekeep all logs that record the execution of Digital Iceland’s duties and is only allowed to delete its records once the data has been securely handed over to the National Archives of Iceland or with express confirmation from the National Archives that the data can be deleted, with one exception see chapter 6.1 Modification and deletion. Handover to the National Archives should be done no later than as the data is 5 years old, to be compliant with 77:2014: Lög um opinber skjalasöfn.

6.1 Retention

Logs should be offloaded from expensive indexed systems (Hot Storage) and put into more cost effective cold storage as soon as is prudent while remaining appropriately accessible for the execution of Digital Iceland's duties and responsibilities as per applicable regulations.

Audit Logs can be kept in hot storage for up to 1 year, after which they should be offloaded to cold storage, provided they do not form a part of an active investigation, legal hold or archival obligations. After which, it must be possible to re-ingest older logs back into hot storage for the purposes of lawful and compliant investigation and responding to legal inquiries up to but limited to the regulatory duty of Digital Iceland.

Application Logs that are only useful for technical troubleshooting and are not the official record of the execution of Digital Iceland’s duties and responsibilities can be deleted after 1 year.

6.2 Modification and deletion

As per 90/2018: Lög um persónuvernd og vinnslu persónuupplýsinga, logs and records containing PII must be reliably accurate and updated or deleted as needed. Should inaccurate or inappropriate PII be discovered in logs, the finding should be well documented and express permission requested from Digital Iceland CISO or Digital Iceland CTO before proceeding with modification for the purposes of correction of an error or deletion, pursuant to compliance with applicable laws. All such approvals and actions must be documented and retained as part of the audit trail.

Under no other circumstances should logs be modified and only with reference to requirements set forth in 77:2014: Lög um opinber skjalasöfn can logs otherwise be deleted.

7. Security and access considerations

Logs must be stored in secure, access-controlled systems with encryption at rest. If needed; in order to fulfil this or other requirements in this policy; logs may be stored in a fully separate environment from the environment generating or creating the logs.

Data communication containing logs should always be encrypted in transit with TLS 1.3 or better.

Application Logs may be accessible on an ongoing basis to authenticated developers approved, to have such access, by Digital Iceland CISO and/or Digital Iceland CTO.

Infrastructure Logs may be accessible on an ongoing basis to authenticated DevOps Engineers, approved to have such access, by Digital Iceland CISO and/or Digital Iceland CTO.

DevOps Engineers furthermore may have access to Audit Logs and Application Logs that contain PII in order to service legitimate requests for access to that information.

Each individual access request to Audit Logs and Infrastructure- or Application Logs that contain PII, requires explicit permission from Digital Iceland CISO or Digital Iceland CTO before proceeding and only in the case of emergency (such as a time sensitive inquiry related to a security incident or police investigation) can this explicit permission be waived and Digital Iceland CISO and Digital Iceland CTO notified after the fact.

In case of disagreement, the Digital Iceland CISO has final authority on security- and compliance related access decisions.

7.1 Tamper proof audit log and decision record

Access to logs needs to be logged itself (audit log of access to logs) in a tamper proof audit log (append-only and protected against modification or deletion). This log needs to include events of access, modification and deletion of log data.

Additionally a system and procedure needs to be in place to ensure the accurate record of requests for access, modification or deletion to/of logs and the requests, any edits to the requests, actions performed documented as well as approvals from Digital Iceland CISO or Digital Iceland CTO. This record needs to be kept for traceability purposes and can be cross referenced with the tamper proof audit log of access to logs to get a full understanding of decisions and actions taken.

8. Data Minimization

As per 90/2018: Lög um persónuvernd og vinnslu persónuupplýsinga, the collected PII should only be what is necessary for the execution of the duties of Digital Iceland. Recording of PII in logs should therefore be kept to only the essentials for any given record. PII should also only be kept in the sensitive identifiable form for as long as is necessary and if possible can be obfuscated (or hashed).

9. Approval, review and amendments of this policy

This policy is reviewed annually, updated and any changes communicated to stakeholders, whenever there are significant changes to regulatory requirements, logging standards or infrastructure architecture. This policy in its entirety and any subsequent changes must be approved by Digital Iceland CISO or Digital Iceland CTO.