Steps for preserving the integrity of log data

Computerworld - In the past few years, companies have spent billions of dollars to update their IT infrastructures to meet requirements from various government regulations such as Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act.
One of the more noticeable and most important recommendations of these regulations is record-keeping. For example, Sarbanes-Oxley recommends that all companies "maintain financial records for seven years." In order to ensure the accuracy of corporate financial and business information, this recommendation also pertains to records that are used to "audit unauthorized access, misuse and fraud." Other regulations such as HIPAA also recommend keeping records for up to six years.
Altered log data prohibits court admissibility
The integrity of information is crucial when submitting evidence to the court. Just like crime-scene evidence, which prosecutors must prove hasn't been tampered with, electronic data submitted to the court must adhere to the same stringent requirements. As such, log data generated by the IT infrastructure also has to be archived in its original and unaltered format.
Reports generated from the logs are usually insufficient to convince the other side (defense or prosecution) that they haven't been tampered with. Lawyers from either side may question the accuracy of the reports and will want to perform their own analyses. For example, if you claim that someone has sent out data from the Sarbanes-Oxley-related financial servers, how do you substantiate that claim? Tampered data can't be used as evidence to prove your claim. In these scenarios, unaltered logs have to be provided.
In addition to the unaltered logs, evidence may be needed to prove that the logs weren't tampered with. Some companies have chosen to digitally sign the log files collected and then keep the digital signatures at a location separate from the logs. Others have chosen to store logs on WORM (write once, read many) drives such as CD-ROM/DVD-ROM or storage devices such as EMC Corp.'s Centera. Both processes ensure that tampering of logs can be detected or prevented.
Documented collection processes enable trust
But why would the court or the auditors trust the archived unaltered logs? Auditors are always looking to see whether the log data can be tampered with or modified at any point during the collection process. Was the transport encrypted over the WAN to ensure confidentiality? Were the logs signed during transmission to ensure integrity? What programs or processes handled these logs during the collection process? Are these programs or processes clearly documented to ensure that no fake data was injected into the stream?